Thanks Dan, On Tue, Apr 19, 2011 at 2:00 PM, dan (ddp) <[email protected]> wrote: > I don't know why that isn't working, but try adding the ignore to the > manager's ossec.conf. That should ignore it for all agents and the > manager.
Ah! it will ignore for all agent that's not good because we have production and development so i need this option on specific agent. I believe in this case i need to add them local ossec.conf on each server. > I don't think <auto_ignore>no</auto_ignore> does anything on the > agents. It should be a manager side option. Again issue! I need this option only on production. not on testing and development. > Make sure the agent.conf on the agents is getting updated, and make > sure the agent is using the correct sections. An easy way to do this > is to add a <localfile> into each section. Even if the file does not > exist on the agent, it should be mentioned in the ossec.log. You want me to add fake entry and watch ossec.log to make sure its working for particular agent. Will do.. > On Tue, Apr 19, 2011 at 10:02 AM, satish patel <[email protected]> wrote: >> Hey Guys! >> >> This is again i am posting issue about ignoring file and directory >> following is my agent.conf file please let me know why its now >> working. I did thousand time restart and reboot machine on both client >> and server but still i am getting alert :( >> >> Getting alert : Integrity checksum changed for: '/etc/prelink.cache' >> >> Following is my agent.conf file. >> >> root@vmg035:~# cat /var/ossec/etc/shared/agent.conf >> <agent_config> >> <syscheck> >> >> <!-- Frequency that syscheck is executed - default to every 2 hours --> >> <frequency>7200</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> >> <!-- No scan at start service time --> >> <scan_on_start>no</scan_on_start> >> >> <!-- Disable frequently changes files --> >> <auto_ignore>no</auto_ignore> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> <ignore>/etc/motd</ignore> >> <ignore>/etc/printcap</ignore> >> <ignore>/etc/prelink.cache</ignore> >> <ignore>/etc/lvm/backup</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> </rootcheck> >> </agent_config> >> >> <!-- Redhat Linux Logfiles monitor for PROD boxes fiona and shrek --> >> <agent_config name="fiona|shrek"> >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/vsftpd.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/maillog</location> >> </localfile> >> </agent_config> >> >> >> <!-- Redhat Linux Logfiles monitor for TEST and DEV--> >> <agent_config name="dev01|dev02|dragon|donkey"> >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/vsftpd.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/maillog</location> >> </localfile> >> </agent_config> >> >> <!-- sebfwint1 extra logfiles for ubuntu OS --> >> <agent_config name="sebfw01"> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/auth.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/syslog</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/mail.info</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/dpkg.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/apache2/error.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/apache2/access.log</location> >> </localfile> >> </agent_config> >> >
