In ossec.conf modify the syscheck directory entries to add realtime capabilities. Add realtime="yes" to the entries you want to be monitored in realtime, like so: <directory check_all="yes" realtime="yes">/bin,/etc</directory>
On Mon, Jul 6, 2009 at 10:47 AM, Kirk Frankovich<[email protected]> wrote: > > Is there a document on using the real-time integrity checking? I cannot > find how to enable it. > > Thank you very much. > > Kirk Frankovich > Systems Administrator > > 847.427.5223 - Direct > 847.489.4717 - Cell > [email protected] > > Fort Dearborn Company > 1530 Morse Ave > Elk Grove Village, IL 60007 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Daniel Cid > Sent: Tuesday, June 30, 2009 7:38 AM > To: [email protected]; [email protected] > Subject: [ossec-list] OSSEC v2.1 released > > > Hi list, > > We are happy to announce that OSSEC version 2.1 is available now. > > This new version is the first one with support for centralized > configurations and realtime integrity monitoring on Linux. > It also includes many other features and bug fixes: > > * Centralized configuration - The agent.conf file was introduced > to allow granular configuration of the agents directly on the manager > side. > * Remote agent restart - Functionality was added to restart the > agents remotely using the agent_control tool. > * Real time integrity checking - Real time integrity checking was > added to Linux systems. > * New Log Rules Support - We added support for Windows DHCP logs > and fixed/improved many of the other rules for different messages. > > Source: > http://www.ossec.net/main/ossec-v21-released > > Download from here: > http://www.ossec.net/main/downloads > > > Full changelog (If I forgot somone, please let me know and I will > update it asap): > http://www.ossec.net/announcements/v2.1-2009-06-30.txt > > -Added additional rules to detect the enumeration of extensions > (Patch by Chris Bailes <chris at paeenterprises.co.uk>). > > -Added support for glob (regular expressions) when specifying the > directories > to check on syscheck. > > -Added support for syslog-ng ISODATE (conforming to ISO-8601) date > formats > in the syslog header. > > -Added support for rsyslog non-standard date format (RFC 5425). > > -Added the log testing tool to the default build (now available at > /var/ossec/bin/ossec-logtest ). > > -Added agentless script for Foundry switches > (Thanks to Matt <mgoldsberry at gmail.com> for the help). > > -Added support for real time integrity checking. > > -Added support for sending OSSEC alerts to twitter via active response. > > -Added support for Windows DHCP logs > (Thanks to [email protected] for the help). > > -Adding changes to support ASA/FWSM on the agentless monitoring > (Thanks to Michael Starks for the patch) > > -Added option to restart an ossec agent remotely. > > -Added agent config on the manager side. > > -Added the ability to fully build an Windows ossec agent directly from > the (Linux) server. > > -Fixed rootcheck to do not monitor read-only file systems during the > rc_sys_check > (Reported by Dennis Golden). > > -Fixed Windows policy that was looking for the wrong value to check if > the firewall > was enabled or not > (Reported by Aaron Bliss). > > -Fixed debian rules that were matching on Juniper messages > (Reported by Reggie Griffin). > > -Fixed yum rules that we matching on another events. > > -Fixed syscheck_control that was segfaulting on 64 bit systems. > > -Fixed mcafee rule that was triggering deleted viruses as uncontained > (Thanks to Michael Starks for the patch). > > -Fixed sshd rule to support new log format > (Thanks to j.bromley at bristol.ac.uk for the report). > > -Fixed ssh_integrity_check_linux agentless script that had some extra > spaces > causing it to hang > (Thanks to Mark Ibrahim for the report). > > -Fixed support for systems without proper syslog hostname (solaris 8/9 > most of the time). > > -Added System32 Restore directory to the list of ignore files for > integrity checking > (it was causing too many false positives). > > -Fixed iptables active-response scripts that was not properly deleted > all the entries. > > -Added agentless devices to the listing tools (agent_control -l, > syscheck_control, -l ,etc). > > -Fixed bug when reading /dev/fd on FreeBSD that was causing ossec to > loop. > (Patch by Danny Fullerton - dfullerton at mantor.org ) > > -Fixed file descriptor leak on execd. > (Patch by Slava Semushin - php-coder at altlinux.org ) > > -Fixed bug where descriptions with new lines would break the alert file. > (Reported by Bill Mathews <billford at gmail.com>) > > -Fixed init scripts for Darwin. > (patch by Peter <peter.wolanin at acquia.com>) > > -Added support for strftime on globbed files. > > -Added the option to decrease syscheck sleep time to 0 (and run as > fast as possible). > (thanks to Michael Altfield <michael.sa at gmail.com> for the > suggestion) > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > -- > This message was scanned by ESVA and is believed to be clean. > > > -- > Confidentiality Notice: This e-mail, including attachments, may include > confidential and/or proprietary information, and may be used only by the > person or entity to which it is addressed. If the reader of this e-mail is > not the intended recipient or his or her authorized agent, the reader is > hereby notified that any dissemination, distribution, copying or taking any > action in reliance upon this information is prohibited. If you have received > this e-mail in error, please notify the sender by replying to this message > and delete this e-mail immediately. > This message was scanned by ESVA and is believed to be clean. > > >
