I have to take back my previous statement that new file alert is not working.
In my setup it is workig just as expected; the alerts received by email looks
like this:
OSSEC HIDS Notification.
2010 May 19 18:03:05
Received From: (client1) 10.5.5.204->syscheck
Rule: 554 fired (level 7) -> "File added to the system."
Portion of the log(s):
New file '/etc/testadi_new_file' added to the file system.
--END OF NOTIFICATION
I had to do 2 things:
- add <alert_new_files>yes</alert_new_files> in the <syscheck>
section on server
- Alter rule 554 in order to increase the level from 0 (which would be
ignore) to 7 for example:
<rule id="554" level="7">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<options>alert_by_email</options>
<group>syscheck,</group>
</rule>
I hope this helps,
Adi
From: [email protected] [mailto:[email protected]] On
Behalf Of [email protected]
Sent: Wednesday, May 19, 2010 4:41 PM
To: [email protected]
Subject: RE: [ossec-list] analysisd: ERROR: Invalid syscheck message received.
Adi, Quick question. Were you able to get the new file alert working? I've
been trying with no success. I modified the rules and syscheck as documented
but still it doesn't work. Any information would be greatly appreciated. Thank
You Christian....
Christian L. Kovac
Sr Network Support Analyst
Information Technology & Project Management
Metro-North Railroad
[email protected]
212-499-4642
THINK GREEN q Do you really need to print this e-mail?
>>> Adi CHIRU <[email protected]> 5/19/2010 8:51 AM >>>
First, I stoped ossec daemons, emptied those files manually and start ossec
daemons. Everything went find until a restarted ossec when that errors started
to appear again.
After this I stopped ossec, deleted the files completely and started ossec. The
files were created and again, the errors in logs only appeared after I
restarted ossec (usually because I change the configuration files).
It seems that a solution would be to clear the database (those files in
/var/ossec/queue/syscheck/ directory before each [re]start) but I am not sure
that this would also be a good idea.
And one more question, if I may:
Where can I find details about the logic in alerting behaviour of ossec? I am
interested in an answear about what ossec does after an event of new file or
deleted file or modified ownership on a file was found and an alert was issued;
does ossec keep sending that alert each time it detects the event or after
first detection the database is updated and so the next run will not detec the
same event again?
Thanks,
Adi
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Tuesday, May 18, 2010 5:25 PM
To: [email protected]
Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received.
This is how to log to an sql database:
http://www.ossec.net/wiki/Know_How:DatabaseOutput
But I don't think the problem has anything to do with an sql database.
I was thinking syscheck_control -u all:
"-u all Updates (clear) the database for all agents."
I guess you could manually clear out the syscheck database file(s).
I'd copy them off first as a backup.
They should be located in: /var/ossec/queue/syscheck. There is the
syscheck file, which I think is the server, and various "(AGENT)
IP_ADDRESS->syscheck" files. Maybe after stopping the ossec processes
and copying the files, try to clear them out manually...
On Tue, May 18, 2010 at 8:41 AM, Adi CHIRU <[email protected]> wrote:
> Hi Dan,
>
> If by clearing the syscheck database you mean:
> ./syscheck_update -a
> and/or
> ./syscheck_update -u local
>
> I already did that while ossec daemons were stopped.
> After restart the same errors appears in logs.
> I am using ossec-hids-2.4.1.
> The above error messages appear in server and agent logs.
>
> Can you please give me the SQL syntax/file (or a link) to create the MySQL
> database; I suspect the problem may be from the structure of the database I
> use now.
>
> Thanks,
> Adi
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Monday, May 17, 2010 5:27 PM
> To: [email protected]
> Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received.
>
> I don't know what's going on with the messages, but you could try
> stopping the server and clearing the syscheck database for that agent.
>
> On Mon, May 17, 2010 at 9:19 AM, Adi CHIRU <[email protected]> wrote:
>> Hi guys,
>>
>>
>>
>> I have some problems with ossec syscheck as it seems it does not catch all
>> the events that happen in a directory configured to be monitored in
>> real-time. To find out what is going wrong I was watching the logs and found
>> the below errors for which I could not find a relevant discussion/solution
>> with google.
>>
>>
>>
>> Can you please help?
>>
>>
>>
>> 2010/05/17 12:29:35 ossec-logcollector: INFO: Started (pid: 11462).
>>
>> 2010/05/17 12:30:06 ossec-syscheckd: INFO: Starting syscheck database
>> (pre-scan).
>>
>> 2010/05/17 12:31:40 ossec-syscheckd: INFO: Finished creating syscheck
>> database (pre-scan completed).
>>
>> 2010/05/17 12:33:40 ossec-syscheckd: INFO: Starting syscheck scan
>> (forwarding database).
>>
>> 2010/05/17 12:34:12 ossec-analysisd(1755): ERROR: Invalid syscheck message
>> received.
>>
>> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message
>> received.
>>
>> 2010/05/17 12:34:16 ossec-analysisd(1755): ERROR: Invalid syscheck message
>> received.
>>
>> 2010/05/17 12:38:28 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
>> database).
>>
>> 2010/05/17 12:38:48 ossec-rootcheck: INFO: Starting rootcheck scan.
>>
>> 2010/05/17 12:41:08 ossec-rootcheck: INFO: Ending rootcheck scan.
>>
>> 2010/05/17 13:04:17 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>> 2010/05/17 13:06:18 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>> 2010/05/17 13:10:14 ossec-analysisd: Invalid integrity message in the
>> database.
>>
>>
>>
>> If you need any other info please let me know...
>>
>>
>>
>> Thanks,
>>
>> Adi
>
