Sorry for the delay. I'm seeing the same behavior. I'll try to look at it later, but between moving and the code complexity it might be beyond me right now.
On Tue, Jan 10, 2012 at 9:42 AM, Andy Jack <[email protected]> wrote: > Hello Dan. ossec-makelists does report that it is making a new .cdb: > > * File lists/employees.cdb need to be updated > > The longest I was waiting was 3-5 minutes. > > On a related note, I was trying to figure out if there was a format for > comments in the text version of the list. ossec-makelists appeared to > put lines with leading '#' into the .cdb file (according to strings). I > guess I could come up with a simple Makefile to manage comments though. > > Thanks, Andy > > On Mon, Jan 09, 2012 at 08:33:59PM -0500, dan (ddp) wrote: >> On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack <[email protected]> wrote: >> > Hello list! So I'm working on a cdb list of users so there can be rules >> > that differentiate when a user on the list vs. not on the list logs in, >> > as described here: >> > >> > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html >> > >> > After confirming that the list is being read and the two rules are being >> > alerted correctly (one for on-the-list, and the other for >> > not-on-the-list), I tried modifying the text list and re-running >> > bin/ossec-makelists to see if the alerts change when a user is taken off >> > the list: >> > >> > 1) user1 and user2, are on the list, user3 is not. run >> > bin/ossec-makelists. run ossec-control start. >> > 2) logging in as either user1 or user2 alerts the on-the-list rule. >> > logging in as user3 alerts the not-on-the-list rule. >> > 3) modify the list, removing the line for user2. re-run >> > bin/ossec-makelists. leave ossec running as-is. >> > 4) logging in as user2 alerts the on-the-list rule still. >> > >> > According to the URL above, updating the cdb file should invalidate the >> > mmap and make the analysis daemon re-read the db from disk as needed, >> > but this doesn't appear to be happening. Could I have something >> > configured incorrectly? Permissions issue perhaps? Or do I have to >> > wait a period of time for ossec to notice or purge a cache or something? >> > >> > root@pegasus:/var/ossec# ls -ld /var/ossec >> > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec >> > root@pegasus:/var/ossec# ls -ld /var/ossec/lists >> > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists >> > root@pegasus:/var/ossec# ls -l /var/ossec/lists >> > total 8 >> > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees >> > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb >> > >> > I just tried adding user4 to the list and remaking the cdb, and ossec >> > still alerts as though user4 is not on the list. The behavior seems to >> > indicate that ossec isn't re-reading the updated lists. I guess >> > restarting ossec is a workaround but that's a pain for every list >> > modification. >> > >> > Thanks, >> > Andy >> >> I don't know the answer off hand, but how long do you wait? >> Does ossec-makelists indicate that it's rebuilding the list?
