Hi Tanishk, Yes, I meant you should have 2 config files - 1. the original ossec.conf under /var/ossec/etc and 2. a new ossec2.conf (any name should do) that you could place in any directory. I'm guessing that this config file needs to contain only the sections relevant to syscheckd (that is - <directory> & <exclude>)
You should pass the new ossec2.conf to syscheckd as an argument - /var/ossec/bin/ossec-syscheckd -c /<path-to-config-file>/ossec2.conf Regards, Chris On Mon, Dec 13, 2010 at 9:10 PM, tanishk lakhaani <[email protected]>wrote: > Hi Christopher, > I have a doubt, the config file that syscheck takes as an argument, has to > be a separate config file, means, there will be 2 ossec.conf's, one as an > argument for syscheck, and the other being the normal ossec.conf ?? > > I tried the same today. I was using the following command: > > /var/ossec/bin/ossec-syscheckd -c /etc/<directory-name> > > But the same dosen't work. > > Ne idea, where am I going wrong ? > > Regards > Tanishk > > >> syscheck has a "-c" option to specify a config file when it is run. > >> > >> > >> > >> You can try setting up a cron job that will run syscheck every 3 hours > >> and specify a control file that contains the list of the 3 files you > >> want to check. Put the other files in the ossec.conf file. > >> > >> > >> > >> Just a thought, I haven't tried this. > >> > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, December 09, 2010 3:17 AM > To: [email protected] > Subject: Re: [ossec-list] Running Integrity Checking at different Instances > > Good points. > > On Wed, Dec 8, 2010 at 4:40 PM, Vitaly Nikolaev <[email protected]> > wrote: > > > > If intruder shut down OSSEC - you will get notification. > > > > cron job will defeat the idea of having centralized configuration > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > On > Behalf Of dan (ddp) > > Sent: Wednesday, December 08, 2010 4:35 PM > > To: [email protected] > > Subject: Re: [ossec-list] Running Integrity Checking at different > Instances > > > > On Wed, Dec 8, 2010 at 4:31 PM, Vitaly Nikolaev <[email protected]> > wrote: > >> > >> > >> cron job on server or agent ? If second then it can be disabled by... > >> intruder and thus "less secure" > >> > >> > >> > > > > It would be on the agent. And an intruder could just shut down OSSEC. > > > >> > >> > >> From: [email protected] [mailto:[email protected]] > >> On Behalf Of Christopher Moraes > >> Sent: Wednesday, December 08, 2010 4:23 PM > >> To: [email protected] > >> Subject: Re: [ossec-list] Running Integrity Checking at different > >> Instances > >> > >> > >> > >> syscheck has a "-c" option to specify a config file when it is run. > >> > >> > >> > >> You can try setting up a cron job that will run syscheck every 3 hours > >> and specify a control file that contains the list of the 3 files you > >> want to check. Put the other files in the ossec.conf file. > >> > >> > >> > >> Just a thought, I haven't tried this. > >> > >> > >> > >> > >> > >> On Wed, Dec 8, 2010 at 3:57 PM, tanishk lakhaani > >> <[email protected]> > >> wrote: > >> > >> Hi People !!! > >> > >> Can we tweak OSSEC to run integrity checking for different file fat > >> different instances. I mean to say: suppose I have 6 files to monitor > >> for Integrity checking.... I want that the integrity checking on 3 of > >> them to be in every 3 hours, whereas for the rest to be every 10 hours. > >> > >> > >> > >> Any idea, if I can tweak it like this. > >> > >> > >> > >> Regards > >> > >> Tanishk > >> > >> > >> > >> ________________________________ > >> This message (including attachments) is private and confidential. If > >> you have received this message in error, please notify us and remove > >> it from your system. > >> > > > > ________________________________ > > > > This message (including attachments) is private and confidential. If you > have received this message in error, please notify us and remove it from > your system. > > > >
