Once I turned on "alert_new_files" I started getting alerts - things appear
to be working now.
Is there any way to completely disable the logcollector daemon? We have
another process that does that job so no need to have that bit running -
removing the "" section doesn't seem to do the trick.
On Saturday, March 4, 2017 at 12:12:49 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner <lwne...@gmail.com
> > wrote:
> > Thanks for the info - I'd like to explore what I can actually do with
> OSSEC
> > and do my due diligence before exploring other options.
> >
> > I've spun up the following conf file and am running ossec-analysisd and
> > ossec-syscheckd only - they seem to be healthy, but I'm not getting any
> > thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin.
> >
> > Any idea what might be going on? As far as I can tell syscheckd is
> > configured to realtime monitor /usr/bin (and inotify works on this
> system),
> > so my understanding is that I should be getting _something_ logged
> somewhere
> > - am I fundamentally misunderstanding something?
> >
> >
> > no
> >
> >
> >
> > rules_config.xml
> > ossec_rules.xml
> >
> >
> >
> > 72000
> >
> > > check_all="yes">/usr/bin,/usr/sbin
> >
> >
> > /etc/mtab
> > /etc/hosts.deny
> > /etc/mail/statistics
> > /etc/random-seed
> > /etc/adjtime
> > /etc/httpd/logs
> >
> >
> > /etc/ssl/private.key
> >
> >
> >
> > yes
> >
> >
> >
> > yes
> >
> >
> >
> > 1
> > 7
> >
> >
> >
> >
> > yes
> >
> >
> >
> > Analysisd and syscheckd appear to start up just fine:
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ...
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ...
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized
> ...
> > 2017/03/03 22:06:26 adding rule: rules_config.xml
> > 2017/03/03 22:06:26 adding rule: ossec_rules.xml
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ...
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder..
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder..
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder..
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder.
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file.
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file:
> > 'rules_config.xml'
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file:
> > 'ossec_rules.xml'
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule.
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied.
> > 2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0
> > 2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0
> > 2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0
> > 2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0
> > 2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200
> > 2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0
> > 2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0
> > 2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0
> > 2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0
> > 2017/03/03 22:06:26 2 : rule:593, level