Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

2018-02-23 Thread temp . email . ith 
So what is the difference, between say, the  parameter 
in the ossec.conf file on the Server and the agent.conf file that 
eventually gets uploaded to the Agent? I was under the impression that the 
frequency setting in ossec.conf would be used locally if the Server were 
performing syschecks on itself. What if the frequency in ossec.conf and 
agent.conf differ? How often will the Agent perform a syscheck on itself? 
The parameter in ossec.conf or agent.conf?


On Friday, February 23, 2018 at 10:46:24 AM UTC-8, Santiago Bassett wrote:
>
> That goes on the manager ossec.conf
>
> The manager takes care of analyzing syscheck data received from the 
> agents, and generate alerts.
>
> I hope it helps
>
> Santiago Bassett
> @santiagobassett
>
> On Feb 23, 2018, at 9:59 AM, temp.em...@gmail.com  wrote:
>
> Hi Santiago, I just came across your post. Are you saying that the 
> auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the 
> manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, 
> the latter will eventually be placed on the Agent. I thought that 
> /var/ossec/etc/ossec.conf (on the manager) only applied to syscheck 
> settings locally (in this case, the manager) and that agent.conf would 
> control what happens on the Agents. This is a little confusing.
>
>
>
> On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote:
>>
>> Are you using scan_on_start option? Remember realtime won't work until 
>> first syscheck is done.
>>
>> I also recommend to use alert_new_files and set auto_ignore to "no" (this 
>> goes on the manager).
>>
>> Useful trobleshooting tip is to enable debug for syscheck on the agent 
>> (internal_options.conf file)
>>
>> Best
>>
>> On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia  wrote:
>>
>>> I've checked, I have the /usr/include/linux/inotify.h and I have 
>>> -DUSEINOTIFY.
>>>
>>> I do have the "Real time file monitoring started.", which I simply 
>>> didn't notice.
>>>
>>> However the problem is that it looks like real time notifications are 
>>> working inconsistently, i.e: if I let's say "apt-get install ...some 
>>> package, I get the notification right away, also when I restart OSSEC I get 
>>> email immediately, BUT when I modify /etc/hosts or some other file that is 
>>> with "realtime" parameter in "directories" then I only get a notification 
>>> when ossec-syscheckd runs as scheduled.
>>>
>>> Any ideas?
>>>
>>>
>>>
>>>
>>> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:

 Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall 
 file checks existence of a header file. Please see if your Ubuntu system 
 has one of the follwoing:

 # Checking for inotify

 if [ "X$OS" = "XLinux" ]; then

 if [ -e /usr/include/sys/inotify.h ]; then

 echo "EEXTRA=-DUSEINOTIFY" >> Config.OS

 elif [ -e /usr/include/linux/inotify.h ]; then

 echo "EEXTRA=-DUSEINOTIFY" >> Config.OS

 fi

 LUA_PLAT="posix"

 fi


 If it works, Config.OS file will contain the '-DUSEINOFITY' compilation 
 directive. Please check it.

 Documentation is available at: 
 http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
  
 Good luck!

 On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:

 Hi Guys!
> I've installed and configured OSSEC to get real time notifications, 
> but when I modify for instance /etc/passwd or /etc/hosts I don't get a 
> real 
> time notification.
> Scheduled notifications are working I receive events to my email.
>
> In addition documentation tells that in ossec.log there should be a 
> line "Real time file monitoring started." which I never get.
>
> Please advise
>
>  
> yes
> jen...@gmail.com
> mx.yandex.net.
> ossecm@myserver
>   
>   
>   
> jen...@gmail.com
> 550, 553, 554
> 
>   
>
>   
>  check_all="yes">/etc,/usr/bin,/usr/sbin
>
> yes
> no
> no
>
> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

2018-02-23 Thread Santiago Bassett 
That goes on the manager ossec.conf

The manager takes care of analyzing syscheck data received from the agents, and 
generate alerts.

I hope it helps

Santiago Bassett
@santiagobassett

> On Feb 23, 2018, at 9:59 AM, temp.email@gmail.com wrote:
> 
> Hi Santiago, I just came across your post. Are you saying that the 
> auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the 
> manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, the 
> latter will eventually be placed on the Agent. I thought that 
> /var/ossec/etc/ossec.conf (on the manager) only applied to syscheck settings 
> locally (in this case, the manager) and that agent.conf would control what 
> happens on the Agents. This is a little confusing.
> 
> 
> 
>> On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote:
>> Are you using scan_on_start option? Remember realtime won't work until first 
>> syscheck is done.
>> 
>> I also recommend to use alert_new_files and set auto_ignore to "no" (this 
>> goes on the manager).
>> 
>> Useful trobleshooting tip is to enable debug for syscheck on the agent 
>> (internal_options.conf file)
>> 
>> Best
>> 
>>> On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia  wrote:
>>> I've checked, I have the /usr/include/linux/inotify.h and I have 
>>> -DUSEINOTIFY.
>>> 
>>> I do have the "Real time file monitoring started.", which I simply didn't 
>>> notice.
>>> 
>>> However the problem is that it looks like real time notifications are 
>>> working inconsistently, i.e: if I let's say "apt-get install ...some 
>>> package, I get the notification right away, also when I restart OSSEC I get 
>>> email immediately, BUT when I modify /etc/hosts or some other file that is 
>>> with "realtime" parameter in "directories" then I only get a notification 
>>> when ossec-syscheckd runs as scheduled.
>>> 
>>> Any ideas?
>>> 
>>> 
>>> 
>>> 
 On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
 Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file 
 checks existence of a header file. Please see if your Ubuntu system has 
 one of the follwoing:
 # Checking for inotify
 
 if [ "X$OS" = "XLinux" ]; then
 
 if [ -e /usr/include/sys/inotify.h ]; then
 
 echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
 
 elif [ -e /usr/include/linux/inotify.h ]; then
 
 echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
 
 fi
 
 LUA_PLAT="posix"
 
 fi
 
 
 
 If it works, Config.OS file will contain the '-DUSEINOFITY' compilation 
 directive. Please check it.
 
 
 Documentation is available at: 
 http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
  
 Good luck!
 
> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
> 
> Hi Guys!
> I've installed and configured OSSEC to get real time notifications, but 
> when I modify for instance /etc/passwd or /etc/hosts I don't get a real 
> time notification.
> Scheduled notifications are working I receive events to my email.
> 
> In addition documentation tells that in ossec.log there should be a line 
> "Real time file monitoring started." which I never get.
> 
> Please advise
> 
>  
> yes
> jen...@gmail.com
> mx.yandex.net.
> ossecm@myserver
>   
>   
>   
> jen...@gmail.com
> 550, 553, 554
> 
>   
> 
>   
>  check_all="yes">/etc,/usr/bin,/usr/sbin
> 
> yes
> no
> no
> 
>>> 
>>> -- 
>>> 
>>> --- 
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>> 
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

2018-02-23 Thread temp . email . ith 
Hi Santiago, I just came across your post. Are you saying that the 
auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the 
manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, 
the latter will eventually be placed on the Agent. I thought that 
/var/ossec/etc/ossec.conf (on the manager) only applied to syscheck 
settings locally (in this case, the manager) and that agent.conf would 
control what happens on the Agents. This is a little confusing.



On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote:
>
> Are you using scan_on_start option? Remember realtime won't work until 
> first syscheck is done.
>
> I also recommend to use alert_new_files and set auto_ignore to "no" (this 
> goes on the manager).
>
> Useful trobleshooting tip is to enable debug for syscheck on the agent 
> (internal_options.conf file)
>
> Best
>
> On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia  > wrote:
>
>> I've checked, I have the /usr/include/linux/inotify.h and I have 
>> -DUSEINOTIFY.
>>
>> I do have the "Real time file monitoring started.", which I simply didn't 
>> notice.
>>
>> However the problem is that it looks like real time notifications are 
>> working inconsistently, i.e: if I let's say "apt-get install ...some 
>> package, I get the notification right away, also when I restart OSSEC I get 
>> email immediately, BUT when I modify /etc/hosts or some other file that is 
>> with "realtime" parameter in "directories" then I only get a notification 
>> when ossec-syscheckd runs as scheduled.
>>
>> Any ideas?
>>
>>
>>
>>
>> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
>>>
>>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall 
>>> file checks existence of a header file. Please see if your Ubuntu system 
>>> has one of the follwoing:
>>>
>>> # Checking for inotify
>>>
>>> if [ "X$OS" = "XLinux" ]; then
>>>
>>> if [ -e /usr/include/sys/inotify.h ]; then
>>>
>>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>>
>>> elif [ -e /usr/include/linux/inotify.h ]; then
>>>
>>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>>
>>> fi
>>>
>>> LUA_PLAT="posix"
>>>
>>> fi
>>>
>>>
>>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation 
>>> directive. Please check it.
>>>
>>> Documentation is available at: 
>>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
>>>  
>>> Good luck!
>>>
>>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
>>>
>>> Hi Guys!
 I've installed and configured OSSEC to get real time notifications, but 
 when I modify for instance /etc/passwd or /etc/hosts I don't get a real 
 time notification.
 Scheduled notifications are working I receive events to my email.

 In addition documentation tells that in ossec.log there should be a 
 line "Real time file monitoring started." which I never get.

 Please advise

  
 yes
 jen...@gmail.com
 mx.yandex.net.
 ossecm@myserver
   
   
   
 jen...@gmail.com
 550, 553, 554
 
   

   
 >>> check_all="yes">/etc,/usr/bin,/usr/sbin

 yes
 no
 no

 -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

2015-11-12 Thread Santiago Bassett 
Are you using scan_on_start option? Remember realtime won't work until
first syscheck is done.

I also recommend to use alert_new_files and set auto_ignore to "no" (this
goes on the manager).

Useful trobleshooting tip is to enable debug for syscheck on the agent
(internal_options.conf file)

Best

On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia  wrote:

> I've checked, I have the /usr/include/linux/inotify.h and I have
> -DUSEINOTIFY.
>
> I do have the "Real time file monitoring started.", which I simply didn't
> notice.
>
> However the problem is that it looks like real time notifications are
> working inconsistently, i.e: if I let's say "apt-get install ...some
> package, I get the notification right away, also when I restart OSSEC I get
> email immediately, BUT when I modify /etc/hosts or some other file that is
> with "realtime" parameter in "directories" then I only get a notification
> when ossec-syscheckd runs as scheduled.
>
> Any ideas?
>
>
>
>
> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
>>
>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file
>> checks existence of a header file. Please see if your Ubuntu system has one
>> of the follwoing:
>>
>> # Checking for inotify
>>
>> if [ "X$OS" = "XLinux" ]; then
>>
>> if [ -e /usr/include/sys/inotify.h ]; then
>>
>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>> elif [ -e /usr/include/linux/inotify.h ]; then
>>
>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>> fi
>>
>> LUA_PLAT="posix"
>>
>> fi
>>
>>
>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation
>> directive. Please check it.
>>
>> Documentation is available at:
>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
>>
>> Good luck!
>>
>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
>>
>> Hi Guys!
>>> I've installed and configured OSSEC to get real time notifications, but
>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real
>>> time notification.
>>> Scheduled notifications are working I receive events to my email.
>>>
>>> In addition documentation tells that in ossec.log there should be a line
>>> "Real time file monitoring started." which I never get.
>>>
>>> Please advise
>>>
>>>  
>>> yes
>>> jen...@gmail.com
>>> mx.yandex.net.
>>> ossecm@myserver
>>>   
>>>   
>>>   
>>> jen...@gmail.com
>>> 550, 553, 554
>>> 
>>>   
>>>
>>>   
>>> >> check_all="yes">/etc,/usr/bin,/usr/sbin
>>>
>>> yes
>>> no
>>> no
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.