On Wed, Sep 29, 2010 at 12:21 PM, Chris Decker <[email protected]> wrote: > Ever helpful OSSEC list, > > I have three items I'm trying to figure out: > > How can I get the OSSEC server process to bind to a network interface of my > choosing? I'm guessing I can do something when compiling, but is there a > parameter that can be changed to make this happen? I found an existing > thread titled "How do you force the OSSEC agent to use a particular network > interface" but there was no conclusion. I use a software firewall but would > like to use defense in depth and not listen unnecessarily on an interface.
Look at the option "local_ip" on the following page: http://www.ossec.net/doc/syntax/head_ossec_config.remote.html > I have syscheck watching /etc/hosts.allow in realtime with the new > report_changes option. I modified this file (added a new line with a > comment) and received an alert as expected. When I removed the comment I > got another alert saying "File '/etc/hosts.allow' was deleted. Unable to > retrieve checksum". I expected to just get another alert saying the > checksum had changed. Can someone explain this to me? For some reason syscheck seems to think the file was deleted entirely. Make sure the file is still there. Here's a test, but I'm not entirely sure how worthwhile it is. Try the following: ls -li /etc/hosts.allow EDIT /etc/hosts.allow just like you had done before (using the same application), and hopefully receive an alert about it being modified ls -li /etc/hosts.allow EDIT /etc/hosts.allow to remove the previous edit (again, just like you had done before) ls -li /etc/hosts.allow I'm wondering if a change in inodes or something might be confusing the system (I don't know enough about the inotify support to know if this might be an issue). Also, do you have all of /etc setup for realtime alerts? You can't setup individual files for realtime monitoring, just directories. > We use Nagios to periodically log-in to our servers (using SSH) to retrieve > status information on processes. Everytime this happens I get the > successful SSH connection alert and 2 additional alerts related to > PAM/login. Is there an easy way to surpress these alerts if they happen all > within a second of one another? > > > As always, help is appreciated. > > > > > Thanks, > Chris Write a few rules to ignore those alerts from the nagios server IP.
