Hi again,
I just checked my 0.9 installed debian box and everything seems normal.
Alert e-mails are coming with correct date (timezone values).
Is it possible to send us a sample alert e-mail with full headers?
(just copy&paste from /var/spool/mail).
PS: I'll also add /var/adm/messages to config file on solaris systems.
Regards,
Ahmet Ozturk.
Ahmet Ozturk wrote:
Hi Martin,
Let me answer your first 2 questions:
1. I'm not sure if you can throttle the syscheck cpu usage directly
(you may use nice command for a running process, but I don't know
a way to automate this). syscheckd starts to run every 2 hours by
default,
you may want to change this. (see <frequency> and other options in
ossec.conf)
(http://www.ossec.net/en/manual.html#syscheck_options)
2. For active-response issue, please check the <location> option
in ossec.conf file on the server. if it has the value "local" it will
execute
the active-response on the agent that generated the alert. If you want to
use active-response only on your server, this value should be set to
"analysis-server".
(http://www.ossec.net/en/manual.html#active-response-config)
I'll also check the timezone issue this night.
Regards,
Ahmet Ozturk.
Martin Leung wrote:
Hi,
Just tried ossec 0.9 and have some queries:
1. The syscheck daemon takes up significant CPU time on my box.
Can it be throttled or scheduled at a fixed time?
2. I enabled active-response on server but disabled on agent
machine. However, agent host still responses to attack using
policy on server. Is it a bug or feature?
3. The time zone fix stated at:
http://www.ossec.net/ossec-list/2006-June/msg00019.html
seems has side-effect. On my Fedora 4 box, the mail header
becomes +0000 (HKT). I reverted the change and it works
(becomes +0800).
4. On Solaris, it may worth to include /var/adm/message to the
default monitor list.
BTW, OSSEC is great. Easy to install and useful.
Rgds.
Martin
