I am using OSSEC 2.6 server + agents on Centos 5.3 64bits. I have a
issue about the Integrity checksum changed alert delayed over 1 day.
For example, I modified a file in a machine last Fri, but the OSSEC
server alert me the integrity change this Wed. I have setup the server
and agent to do syscheck at 20:00 everyday.
Why the checksum change alert delayed so long??
Server config:
<ossec_config>
<global>
<alerts>
<email_alert_level>8</email_alert_level>
<log_alert_level>1</log_alert_level>
</alerts>
<reports>
<category>syscheck</category>
<title>OSSEC Daily Report: File Integrity Check Result</title>
<email_to>[email protected]</email_to>
<showlogs>yes</showlogs>
</reports>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<!-- <frequency>72000</frequency> -->
<scan_time>20:00</scan_time>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<scan_on_start>no</scan_on_start>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/prelink.cache</ignore>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
</global>
</ossec_config>
Agent config
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<!-- <frequency>72000</frequency> -->
<scan_time>20:00</scan_time>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes" report_changes="yes">/home/user/
programA</directories>
<directories check_all="yes" report_changes="yes">/home/user/
programB</directories>
</syscheck>
</agent_config>
Server Logs:
012/02/12 20:00:31 ossec-syscheckd: INFO: Starting syscheck scan.
2012/02/12 20:26:50 ossec-syscheckd: INFO: Ending syscheck scan.
2012/02/13 00:00:24 ossec-monitord: INFO: Starting daily reporting for
'OSSEC Daily Report: File Integrity Check Result'
2012/02/13 00:00:30 ossec-monitord: INFO: Report 'OSSEC Daily Report:
File Integrity Check Result' completed. Creating output...
2012/02/13 20:01:51 ossec-syscheckd: INFO: Starting syscheck scan.
2012/02/13 20:29:22 ossec-syscheckd: INFO: Ending syscheck scan.
2012/02/14 00:00:55 ossec-monitord: INFO: Starting daily reporting for
'OSSEC Daily Report: File Integrity Check Result'
2012/02/14 00:01:02 ossec-monitord: INFO: Report 'OSSEC Daily Report:
File Integrity Check Result' completed. Creating output...
2012/02/14 20:04:22 ossec-syscheckd: INFO: Starting syscheck scan.
2012/02/14 20:30:58 ossec-syscheckd: INFO: Ending syscheck scan.
2012/02/15 00:01:35 ossec-monitord: INFO: Starting daily reporting for
'OSSEC Daily Report: File Integrity Check Result'
2012/02/15 00:01:43 ossec-monitord: INFO: Report 'OSSEC Daily Report:
File Integrity Check Result' completed. Creating output...
Agent Logs:
2012/02/13 20:04:19 ossec-syscheckd: INFO: Starting syscheck scan.
2012/02/13 21:10:10 ossec-agentd: INFO: Event count after '20000':
3409487->3024784 (88%)
2012/02/13 22:39:01 ossec-syscheckd: WARN: Error opening directory: '/
home/user/programB': No such file or directory
2012/02/13 22:39:25 ossec-syscheckd: INFO: Ending syscheck scan.
2012/02/14 11:10:24 ossec-agentd: INFO: Event count after '20000':
3379049->3028584 (89%)
2012/02/14 20:04:25 ossec-syscheckd: INFO: Starting syscheck scan.
2012/02/14 21:10:34 ossec-agentd: INFO: Event count after '20000':
3404780->3021480 (88%)
2012/02/14 22:39:10 ossec-syscheckd: WARN: Error opening directory: '/
home/user/programB': No such file or directory
2012/02/14 22:39:34 ossec-syscheckd: INFO: Ending syscheck scan.
