Hi Satish, On Wed, Apr 20, 2011 at 10:10 AM, satish patel <[email protected]> wrote: > Thanks Dan, > > On Tue, Apr 19, 2011 at 2:00 PM, dan (ddp) <[email protected]> wrote: >> I don't know why that isn't working, but try adding the ignore to the >> manager's ossec.conf. That should ignore it for all agents and the >> manager. > > Ah! it will ignore for all agent that's not good because we have > production and development so i need this option on specific agent. I > believe in this case i need to add them local ossec.conf on each > server. >
You want to monitor the prelink.cache on production systems? I think this is one of those files that will change somewhat regularly. Anyways, it should work in the agent.conf or the ossec.conf. > >> I don't think <auto_ignore>no</auto_ignore> does anything on the >> agents. It should be a manager side option. > > Again issue! I need this option only on production. not on testing and > development. > Use 2 managers, one for production and one for testing. That'll not only give you the ability to use different settings between the two networks, but also split up the log collection based on security level (assuming production is a higher security level than testing). You can forward the logs from one OSSEC server to the other. >> Make sure the agent.conf on the agents is getting updated, and make >> sure the agent is using the correct sections. An easy way to do this >> is to add a <localfile> into each section. Even if the file does not >> exist on the agent, it should be mentioned in the ossec.log. > > You want me to add fake entry and watch ossec.log to make sure its > working for particular agent. Will do.. > > The log message will help you determine if that particular section of the agent.conf is being used on that agent. I've noticed in the past that agent.conf errors don't always show up in the logs, so an agent may skip a section because of an error without letting you know. Using a "fake" log file entry is an easy way to determine whether an agent.conf section is being used. > > >> On Tue, Apr 19, 2011 at 10:02 AM, satish patel <[email protected]> wrote: >>> Hey Guys! >>> >>> This is again i am posting issue about ignoring file and directory >>> following is my agent.conf file please let me know why its now >>> working. I did thousand time restart and reboot machine on both client >>> and server but still i am getting alert :( >>> >>> Getting alert : Integrity checksum changed for: '/etc/prelink.cache' >>> >>> Following is my agent.conf file. >>> >>> root@vmg035:~# cat /var/ossec/etc/shared/agent.conf >>> <agent_config> >>> <syscheck> >>> >>> <!-- Frequency that syscheck is executed - default to every 2 hours --> >>> <frequency>7200</frequency> >>> >>> <!-- Directories to check (perform all possible verifications) --> >>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> <directories check_all="yes">/bin,/sbin</directories> >>> >>> <!-- No scan at start service time --> >>> <scan_on_start>no</scan_on_start> >>> >>> <!-- Disable frequently changes files --> >>> <auto_ignore>no</auto_ignore> >>> >>> <!-- Files/directories to ignore --> >>> <ignore>/etc/mtab</ignore> >>> <ignore>/etc/mnttab</ignore> >>> <ignore>/etc/hosts.deny</ignore> >>> <ignore>/etc/mail/statistics</ignore> >>> <ignore>/etc/random-seed</ignore> >>> <ignore>/etc/adjtime</ignore> >>> <ignore>/etc/httpd/logs</ignore> >>> <ignore>/etc/utmpx</ignore> >>> <ignore>/etc/wtmpx</ignore> >>> <ignore>/etc/cups/certs</ignore> >>> <ignore>/etc/dumpdates</ignore> >>> <ignore>/etc/svc/volatile</ignore> >>> <ignore>/etc/motd</ignore> >>> <ignore>/etc/printcap</ignore> >>> <ignore>/etc/prelink.cache</ignore> >>> <ignore>/etc/lvm/backup</ignore> >>> </syscheck> >>> >>> <rootcheck> >>> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >>> >>> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>> >>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>> >>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>> </rootcheck> >>> </agent_config> >>> >>> <!-- Redhat Linux Logfiles monitor for PROD boxes fiona and shrek --> >>> <agent_config name="fiona|shrek"> >>> >>> <active-response> >>> <disabled>yes</disabled> >>> </active-response> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/messages</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/secure</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/vsftpd.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/maillog</location> >>> </localfile> >>> </agent_config> >>> >>> >>> <!-- Redhat Linux Logfiles monitor for TEST and DEV--> >>> <agent_config name="dev01|dev02|dragon|donkey"> >>> >>> <active-response> >>> <disabled>yes</disabled> >>> </active-response> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/messages</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/secure</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/vsftpd.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/maillog</location> >>> </localfile> >>> </agent_config> >>> >>> <!-- sebfwint1 extra logfiles for ubuntu OS --> >>> <agent_config name="sebfw01"> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/auth.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/syslog</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/mail.info</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/var/log/dpkg.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/apache2/error.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/apache2/access.log</location> >>> </localfile> >>> </agent_config> >>> >> >
