Syscheck still isn't working (or doesn't appear to be at least..) but i can at least state that the logging is now working correctly now i'm using the hostname in the name="" field for agent configuration rather than the agent ID
One thing I would like to ask is how possible it is to have ossec alert on anything its not seen before, so a log entry goes through all the rules and alerts or excludes itself but if it doesn't find a rule that matches it i would like it to alert still. How easy/possible is that? Preferably only changing files that can be changed and wouldn't effect an upgrade with havign to manually make lots of changes just to get that part of the functionality working again. > Date: Wed, 28 Jul 2010 14:32:56 -0400 > Subject: Re: [ossec-list] Central Remote Agent Configuration > From: [email protected] > To: [email protected] > > On Wed, Jul 28, 2010 at 10:02 AM, Mark F <[email protected]> wrote: > >> I'm pretty sure the -R option requires active response to be enabled, > >> maybe this does too. It can also take a while to initiate, the action > >> isn't immediate. > > > > Your right, i've enabled this on the client in the configuration file. I've > > also tcpdumped the traffic coming in from my ossec central server to see > > that a request actually hits the client... it does and at the same time i'm > > tail'ing the ossec.log on the client to see if anything happens... and > > nothing. I've changed the internal_options.conf or some name like this on > > the server and client, setting everything to level 2 and still i get > > nothing. I've not had any alert about any altered file for 2 days now so i > > think it must be because its not working somehow, but no errors anywhere. > > Same problem with the log watching, I can see the logs it picks up on > > start-up of the agent, however it doesn't seem to pickup any of the logs as > > i've specified within '/usr/local/apache2/logs/*' in the ossec.log of the > > agent nothing is noted down about picking up the files within that > > directory...? > > > > Requests from the server for the agents to run syscheck updates are > not immediate. I've seen them take 30min before. > In the agent's logs that you posted the following line means syscheck > scan has started: > 2010/07/28 14:07:09 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > > After that line you should see something like: > 2009/10/12 16:39:03 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2009/10/12 16:41:04 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2009/10/12 16:44:27 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > > > > > > Uname -a (Server) > > Linux monitoring 2.6.32-23-generic-pae #37-Ubuntu SMP Fri Jun 11 09:26:55 > > UTC 2010 i686 GNU/Linux > > > > cat /var/ossec/etc/shared/agent.conf > > <agent_config> > > <syscheck> > > <auto_ignore>no</auto_ignore> > > <alert_new_files>yes</alert_new_files> > > <frequency>21600</frequency> > > <directories check_all="yes">/</directories> > > </syscheck> > > </agent_config> > > > > <agent_config name="001"> > > <localfile> > > <location>/var/log/apache2/error_log</location> > > <log_format>apache</log_format> > > </localfile> > > </agent_config> > > > > <agent_config name="002"> > > <localfile> > > <log_format>apache</log_format> > > <location>/usr/local/apache2/logs/*</location> > > </localfile> > > </agent_config> > > > > Any ideas? 002 doesn't seem to be reading anything from any of hte apache > > log files within that directory yet i was to understand that it accepts > > posix's compliant regex... > > So i have a problem with trying to log all the files witin that directory... > > i don't want to be adding file individually thats just plain wrong. And it > > seems that the file integrity i'm sure isn't working correctly however no > > errors even with full debugging on which doesn't really seem to provide much > > better info. '*' represents sensitive information i've stripped out. > > > > Cheers, > > M > > > > > > You shouldn't need the following in the agent.conf, these are only for > the server: > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > > For the agent_config name="001" and 002, are those actually the agent > names? They look like the agent IDs, but I can't be sure.
