I know I said I was done with this thread since you were being difficult, but I'm a glutton for punishment.
On Thu, Jun 21, 2012 at 2:44 PM, Wilson Ricardo <[email protected]> wrote: > The NFS volumes are still being checked. > How do you know it's being checked? Is it mentioned as being monitored in the /var/ossec/logs/ossec.log on the agent? The entries would look like: TIMESTAMP ossec-syscheckd: INFO: Monitoring directory: '/var/www' If it does show up, and the configs you posted were really the ones you're using, I'd suggest removing most of the configs. Then check to see if it's still happening. If so, something is WAY wrong. If not start putting small bits of config back in place. > Is that impossible to avoid the check of this volumes? > > Best regards > > On Fri, Jun 15, 2012 at 4:17 PM, Wilson Ricardo <[email protected]> wrote: >> ossec-agent.conf: >> <ossec_config> >> <client> >> <server-ip>SERVERIP</server-ip> >> </client> >> >> <syscheck> >> <!-- Frequency that syscheck is executed -- default every 2 hours --> >> <frequency>7200</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/svc/volatile</ignore> >> <ignore>/usr/bin/inotifywait</ignore> >> <ignore>/usr/bin/inotifywatch</ignore> >> <ignore>/var/www</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> <ignore>/usr/bin/inotifywait</ignore> >> <ignore>/usr/bin/inotifywatch</ignore> >> <ignore>/var/www</ignore> >> >> </rootcheck> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/maillog</location> >> </localfile> >> >> </ossec_config> >> >> >> >> >> >> >> ossec.conf: >> <ossec_config> >> <global> >> <email_notification>yes</email_notification> >> <email_to>EMAIL</email_to> >> <smtp_server>127.0.0.1</smtp_server> >> <email_from>EMAIL</email_from> >> </global> >> >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours --> >> <frequency>79200</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> <ignore>/usr/bin/inotifywait</ignore> >> <ignore>/usr/bin/inotifywatch</ignore> >> <ignore>/var/www</ignore> >> >> >> <!-- Windows files to ignore --> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> <ignore>C:\WINDOWS/Debug</ignore> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> <ignore>C:\WINDOWS/Temp</ignore> >> <ignore>C:\WINDOWS/system32/config</ignore> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> <ignore>/var/www</ignore> >> </rootcheck> >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> >> >> <remote> >> <connection>syslog</connection> >> </remote> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> <alerts> >> <log_alert_level>1</log_alert_level> >> <email_alert_level>7</email_alert_level> >> </alerts> >> <!-- Files to monitor (localfiles) --> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/maillog</location> >> </localfile> >> </ossec_config> >> >> <ossec_config> <!-- rules global entry --> >> <rules> >> <include>rules_config.xml</include> >> <include>pam_rules.xml</include> >> <include>sshd_rules.xml</include> >> <include>telnetd_rules.xml</include> >> <include>syslog_rules.xml</include> >> <include>arpwatch_rules.xml</include> >> <include>symantec-av_rules.xml</include> >> <include>symantec-ws_rules.xml</include> >> <include>pix_rules.xml</include> >> <include>named_rules.xml</include> >> <include>smbd_rules.xml</include> >> <include>vsftpd_rules.xml</include> >> <include>pure-ftpd_rules.xml</include> >> <include>proftpd_rules.xml</include> >> <include>ms_ftpd_rules.xml</include> >> <include>ftpd_rules.xml</include> >> <include>hordeimp_rules.xml</include> >> <include>roundcube_rules.xml</include> >> <include>wordpress_rules.xml</include> >> <include>cimserver_rules.xml</include> >> <include>vpopmail_rules.xml</include> >> <include>vmpop3d_rules.xml</include> >> <include>courier_rules.xml</include> >> <include>web_rules.xml</include> >> <include>apache_rules.xml</include> >> <include>nginx_rules.xml</include> >> <include>php_rules.xml</include> >> <include>mysql_rules.xml</include> >> <include>postgresql_rules.xml</include> >> <include>ids_rules.xml</include> >> <include>squid_rules.xml</include> >> <include>firewall_rules.xml</include> >> <include>cisco-ios_rules.xml</include> >> <include>netscreenfw_rules.xml</include> >> <include>sonicwall_rules.xml</include> >> <include>postfix_rules.xml</include> >> <include>sendmail_rules.xml</include> >> <include>imapd_rules.xml</include> >> <include>mailscanner_rules.xml</include> >> <include>dovecot_rules.xml</include> >> <include>ms-exchange_rules.xml</include> >> <include>racoon_rules.xml</include> >> <include>vpn_concentrator_rules.xml</include> >> <include>spamd_rules.xml</include> >> <include>msauth_rules.xml</include> >> <include>mcafee_av_rules.xml</include> >> <include>trend-osce_rules.xml</include> >> <include>ms-se_rules.xml</include> >> <!-- <include>policy_rules.xml</include> --> >> <include>zeus_rules.xml</include> >> <include>solaris_bsm_rules.xml</include> >> <include>vmware_rules.xml</include> >> <include>ms_dhcp_rules.xml</include> >> <include>asterisk_rules.xml</include> >> <include>ossec_rules.xml</include> >> <include>attack_rules.xml</include> >> <include>openbsd_rules.xml</include> >> <include>clam_av_rules.xml</include> >> <include>bro-ids_rules.xml</include> >> <include>dropbear_rules.xml</include> >> <include>local_rules.xml</include> >> </rules> >> </ossec_config> <!-- rules global entry --> >> >> >> Sorry for delay! thanks again! >> >> >> >> On Thu, Jun 14, 2012 at 1:27 PM, Wilson Ricardo <[email protected]> >> wrote: >>> Hummm...I will check this points. >>> >>> Thanks! >>> >>> On Thu, Jun 14, 2012 at 1:25 PM, dan (ddp) <[email protected]> wrote: >>>> On Thu, Jun 14, 2012 at 12:15 PM, Wilson Ricardo <[email protected]> >>>> wrote: >>>>> I changed the ip number and contact to avoid expose this things.... >>>>> this list is indexed on google. >>>>> >>>> >>>> I understand that, but this: >>>> >>>>>>>>> <email_notification>yes</email_notification> >>>>>>>>> <email_to>wmail@email</email_to> >>>>>>>>> <smtp_server>smtp.int</smtp_server> >>>>>>>>> <email_from>logserver@IPDOSERVIDOR</email_from> >>>> >>>> and this: >>>> >>>>>>>>> <rules> >>>>>>>>> <include>rules_config.xml</include> >>>>>>>>> <include>pam_rules.xml</include> >>>>>>>>> <include>sshd_rules.xml</include> >>>>>>>>> <include>telnetd_rules.xml</include> >>>>>>>>> <include>syslog_rules.xml</include> >>>>>>>>> <include>arpwatch_rules.xml</include> >>>>>>>>> <include>symantec-av_rules.xml</include> >>>>>>>>> <include>symantec-ws_rules.xml</include> >>>>>>>>> <include>pix_rules.xml</include> >>>>>>>>> <include>named_rules.xml</include> >>>>>>>>> <include>smbd_rules.xml</include> >>>>>>>>> <include>vsftpd_rules.xml</include> >>>>>>>>> <include>pure-ftpd_rules.xml</include> >>>>>>>>> <include>proftpd_rules.xml</include> >>>>>>>>> <include>ms_ftpd_rules.xml</include> >>>>>>>>> <include>ftpd_rules.xml</include> >>>>>>>>> <include>hordeimp_rules.xml</include> >>>>>>>>> <include>roundcube_rules.xml</include> >>>>>>>>> <include>wordpress_rules.xml</include> >>>>>>>>> <include>cimserver_rules.xml</include> >>>>>>>>> <include>vpopmail_rules.xml</include> >>>>>>>>> <include>vmpop3d_rules.xml</include> >>>>>>>>> <include>courier_rules.xml</include> >>>>>>>>> <include>web_rules.xml</include> >>>>>>>>> <include>apache_rules.xml</include> >>>>>>>>> <include>nginx_rules.xml</include> >>>>>>>>> <include>php_rules.xml</include> >>>>>>>>> <include>mysql_rules.xml</include> >>>>>>>>> <include>postgresql_rules.xml</include> >>>>>>>>> <include>ids_rules.xml</include> >>>>>>>>> <include>squid_rules.xml</include> >>>>>>>>> <include>firewall_rules.xml</include> >>>>>>>>> <include>cisco-ios_rules.xml</include> >>>>>>>>> <include>netscreenfw_rules.xml</include> >>>>>>>>> <include>sonicwall_rules.xml</include> >>>>>>>>> <include>postfix_rules.xml</include> >>>>>>>>> <include>sendmail_rules.xml</include> >>>>>>>>> <include>imapd_rules.xml</include> >>>>>>>>> <include>mailscanner_rules.xml</include> >>>>>>>>> <include>dovecot_rules.xml</include> >>>>>>>>> <include>ms-exchange_rules.xml</include> >>>>>>>>> <include>racoon_rules.xml</include> >>>>>>>>> <include>vpn_concentrator_rules.xml</include> >>>>>>>>> <include>spamd_rules.xml</include> >>>>>>>>> <include>msauth_rules.xml</include> >>>>>>>>> <include>mcafee_av_rules.xml</include> >>>>>>>>> <include>trend-osce_rules.xml</include> >>>>>>>>> <include>ms-se_rules.xml</include> >>>>>>>>> <!-- <include>policy_rules.xml</include> --> >>>>>>>>> <include>zeus_rules.xml</include> >>>>>>>>> <include>solaris_bsm_rules.xml</include> >>>>>>>>> <include>vmware_rules.xml</include> >>>>>>>>> <include>ms_dhcp_rules.xml</include> >>>>>>>>> <include>asterisk_rules.xml</include> >>>>>>>>> <include>ossec_rules.xml</include> >>>>>>>>> <include>attack_rules.xml</include> >>>>>>>>> <include>openbsd_rules.xml</include> >>>>>>>>> <include>clam_av_rules.xml</include> >>>>>>>>> <include>bro-ids_rules.xml</include> >>>>>>>>> <include>dropbear_rules.xml</include> >>>>>>>>> <include>local_rules.xml</include> >>>>>>>>> </rules> >>>> >>>> and this: >>>> >>>>>>>>> <remote> >>>>>>>>> <connection>syslog</connection> >>>>>>>>> </remote> >>>>>>>>> <remote> >>>>>>>>> <connection>secure</connection> >>>>>>>>> </remote> >>>>>>>>> <alerts> >>>>>>>>> <log_alert_level>1</log_alert_level> >>>>>>>>> <email_alert_level>7</email_alert_level> >>>>>>>>> </alerts> >>>> >>>> do _not_ belong in an agent's ossec.conf. They belong in the server's >>>> ossec.conf. The ossec.conf you provided is not the ossec.conf on your >>>> agents, or you have big big issues. >>>> >>>> Either way, good luck. Hopefully someone else wants to try and dig >>>> this information out of you. >>>> >>>>> "<ignore>/var/www*</ignore>" is valid? >>>>> >>>> >>>> Do you want to ignore the literal '/var/www*'? If so, then yes. If you >>>> do not have a file named 'www*' (asterisk included), then it is >>>> incorrect. >>>> >>>>> On Thu, Jun 14, 2012 at 1:09 PM, dan (ddp) <[email protected]> wrote: >>>>>> On Thu, Jun 14, 2012 at 12:07 PM, Wilson Ricardo <[email protected]> >>>>>> wrote: >>>>>>> It is config from the client. >>>>>>> >>>>>> >>>>>> You are either incorrect or you have bigger problems than /var/www >>>>>> being checked. The agents will not have the rules/email stuff defined, >>>>>> and will have a server-ip. >>>>>> >>>>>> I also stick by my sregex comment. >>>>>> >>>>>>> On Thu, Jun 14, 2012 at 12:49 PM, dan (ddp) <[email protected]> wrote: >>>>>>>> On Thu, Jun 14, 2012 at 11:36 AM, Wilson Ricardo >>>>>>>> <[email protected]> wrote: >>>>>>>>> ossec.conf: >>>>>>>>> <ossec_config> >>>>>>>>> <global> >>>>>>>>> <email_notification>yes</email_notification> >>>>>>>>> <email_to>wmail@email</email_to> >>>>>>>>> <smtp_server>smtp.int</smtp_server> >>>>>>>>> <email_from>logserver@IPDOSERVIDOR</email_from> >>>>>>>>> </global> >>>>>>>>> >>>>>>>> >>>>>>>> Are the agents checking /var/www or is the OSSEC server? This appears >>>>>>>> to be the server's ossec.conf. You didn't provide the agents' >>>>>>>> ossec.conf? >>>>>>>> >>>>>>>>> <rules> >>>>>>>>> <include>rules_config.xml</include> >>>>>>>>> <include>pam_rules.xml</include> >>>>>>>>> <include>sshd_rules.xml</include> >>>>>>>>> <include>telnetd_rules.xml</include> >>>>>>>>> <include>syslog_rules.xml</include> >>>>>>>>> <include>arpwatch_rules.xml</include> >>>>>>>>> <include>symantec-av_rules.xml</include> >>>>>>>>> <include>symantec-ws_rules.xml</include> >>>>>>>>> <include>pix_rules.xml</include> >>>>>>>>> <include>named_rules.xml</include> >>>>>>>>> <include>smbd_rules.xml</include> >>>>>>>>> <include>vsftpd_rules.xml</include> >>>>>>>>> <include>pure-ftpd_rules.xml</include> >>>>>>>>> <include>proftpd_rules.xml</include> >>>>>>>>> <include>ms_ftpd_rules.xml</include> >>>>>>>>> <include>ftpd_rules.xml</include> >>>>>>>>> <include>hordeimp_rules.xml</include> >>>>>>>>> <include>roundcube_rules.xml</include> >>>>>>>>> <include>wordpress_rules.xml</include> >>>>>>>>> <include>cimserver_rules.xml</include> >>>>>>>>> <include>vpopmail_rules.xml</include> >>>>>>>>> <include>vmpop3d_rules.xml</include> >>>>>>>>> <include>courier_rules.xml</include> >>>>>>>>> <include>web_rules.xml</include> >>>>>>>>> <include>apache_rules.xml</include> >>>>>>>>> <include>nginx_rules.xml</include> >>>>>>>>> <include>php_rules.xml</include> >>>>>>>>> <include>mysql_rules.xml</include> >>>>>>>>> <include>postgresql_rules.xml</include> >>>>>>>>> <include>ids_rules.xml</include> >>>>>>>>> <include>squid_rules.xml</include> >>>>>>>>> <include>firewall_rules.xml</include> >>>>>>>>> <include>cisco-ios_rules.xml</include> >>>>>>>>> <include>netscreenfw_rules.xml</include> >>>>>>>>> <include>sonicwall_rules.xml</include> >>>>>>>>> <include>postfix_rules.xml</include> >>>>>>>>> <include>sendmail_rules.xml</include> >>>>>>>>> <include>imapd_rules.xml</include> >>>>>>>>> <include>mailscanner_rules.xml</include> >>>>>>>>> <include>dovecot_rules.xml</include> >>>>>>>>> <include>ms-exchange_rules.xml</include> >>>>>>>>> <include>racoon_rules.xml</include> >>>>>>>>> <include>vpn_concentrator_rules.xml</include> >>>>>>>>> <include>spamd_rules.xml</include> >>>>>>>>> <include>msauth_rules.xml</include> >>>>>>>>> <include>mcafee_av_rules.xml</include> >>>>>>>>> <include>trend-osce_rules.xml</include> >>>>>>>>> <include>ms-se_rules.xml</include> >>>>>>>>> <!-- <include>policy_rules.xml</include> --> >>>>>>>>> <include>zeus_rules.xml</include> >>>>>>>>> <include>solaris_bsm_rules.xml</include> >>>>>>>>> <include>vmware_rules.xml</include> >>>>>>>>> <include>ms_dhcp_rules.xml</include> >>>>>>>>> <include>asterisk_rules.xml</include> >>>>>>>>> <include>ossec_rules.xml</include> >>>>>>>>> <include>attack_rules.xml</include> >>>>>>>>> <include>openbsd_rules.xml</include> >>>>>>>>> <include>clam_av_rules.xml</include> >>>>>>>>> <include>bro-ids_rules.xml</include> >>>>>>>>> <include>dropbear_rules.xml</include> >>>>>>>>> <include>local_rules.xml</include> >>>>>>>>> </rules> >>>>>>>>> >>>>>>>>> >>>>>>>>> <syscheck> >>>>>>>>> <!-- Frequency that syscheck is executed - default to every 22 >>>>>>>>> hours --> >>>>>>>>> <frequency>79200</frequency> >>>>>>>>> >>>>>>>>> <!-- Directories to check (perform all possible verifications) --> >>>>>>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>>>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>>>>>> >>>>>>>>> <!-- Files/directories to ignore --> >>>>>>>>> <ignore>/etc/mtab</ignore> >>>>>>>>> <ignore>/etc/mnttab</ignore> >>>>>>>>> <ignore>/etc/hosts.deny</ignore> >>>>>>>>> <ignore>/etc/mail/statistics</ignore> >>>>>>>>> <ignore>/etc/random-seed</ignore> >>>>>>>>> <ignore>/etc/adjtime</ignore> >>>>>>>>> <ignore>/etc/httpd/logs</ignore> >>>>>>>>> <ignore>/etc/utmpx</ignore> >>>>>>>>> <ignore>/etc/wtmpx</ignore> >>>>>>>>> <ignore>/etc/cups/certs</ignore> >>>>>>>>> <ignore>/etc/dumpdates</ignore> >>>>>>>>> <ignore>/etc/prelink.cache</ignore> >>>>>>>>> <ignore>/etc/svc/volatile</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>>>>>> >>>>>>>> >>>>>>>> Very quickly, those aren't valid sregex entries. >>>>>>>> >>>>>>>>> <!-- Windows files to ignore --> >>>>>>>>> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Debug</ignore> >>>>>>>>> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >>>>>>>>> <ignore>C:\WINDOWS/iis6.log</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Prefetch</ignore> >>>>>>>>> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >>>>>>>>> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Temp</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/config</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/spool</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >>>>>>>>> </syscheck> >>>>>>>>> >>>>>>>>> >>>>>>>>> <rootcheck> >>>>>>>>> >>>>>>>>> <rootkit_files>/var/ossec//etc/shared/rootkit_files.txt</rootkit_files> >>>>>>>>> >>>>>>>>> <rootkit_trojans>/var/ossec//etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec//etc/shared/system_audit_rcl.txt</system_audit> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>>>>>> </rootcheck> >>>>>>>>> >>>>>>>>> <remote> >>>>>>>>> <connection>syslog</connection> >>>>>>>>> </remote> >>>>>>>>> <remote> >>>>>>>>> <connection>secure</connection> >>>>>>>>> </remote> >>>>>>>>> <alerts> >>>>>>>>> <log_alert_level>1</log_alert_level> >>>>>>>>> <email_alert_level>7</email_alert_level> >>>>>>>>> </alerts> >>>>>>>>> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/messages</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/secure</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/maillog</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> </ossec_config> >>>>>>>>> >>>>>>>>> agent.conf: >>>>>>>>> <agent_config os="Linux"> >>>>>>>>> <syscheck> >>>>>>>>> <!-- Frequency that syscheck is executed - default to every 22 >>>>>>>>> hours --> >>>>>>>>> <frequency>79200</frequency> >>>>>>>>> >>>>>>>>> <!-- Directories to check (perform all possible verifications) --> >>>>>>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>>>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>>>>>> >>>>>>>>> <!-- Files/directories to ignore --> >>>>>>>>> <ignore>/etc/mtab</ignore> >>>>>>>>> <ignore>/etc/mnttab</ignore> >>>>>>>>> <ignore>/etc/hosts.deny</ignore> >>>>>>>>> <ignore>/etc/mail/statistics</ignore> >>>>>>>>> <ignore>/etc/random-seed</ignore> >>>>>>>>> <ignore>/etc/adjtime</ignore> >>>>>>>>> <ignore>/etc/httpd/logs</ignore> >>>>>>>>> <ignore>/etc/utmpx</ignore> >>>>>>>>> <ignore>/etc/wtmpx</ignore> >>>>>>>>> <ignore>/etc/cups/certs</ignore> >>>>>>>>> <ignore>/etc/dumpdates</ignore> >>>>>>>>> <ignore>/etc/svc/volatile</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>>>>>> >>>>>>>>> >>>>>>>>> </syscheck> >>>>>>>>> >>>>>>>>> <!-- Files to monitor (localfiles) --> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/messages</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/secure</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/log/maillog</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>apache</log_format> >>>>>>>>> <location>/var/log/httpd/error_log</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>apache</log_format> >>>>>>>>> <location>/var/log/httpd/access_log</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <log_format>syslog</log_format> >>>>>>>>> <location>/var/ossec/logs/active-responses.log</location> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> </agent_config> >>>>>>>>> >>>>>>>>> <agent_config os="Windows"> >>>>>>>>> <syscheck> >>>>>>>>> <!-- Frequency that syscheck is executed - default to every 22 >>>>>>>>> hours --> >>>>>>>>> <frequency>79200</frequency> >>>>>>>>> >>>>>>>>> <!-- Windows files to ignore --> >>>>>>>>> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Debug</ignore> >>>>>>>>> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >>>>>>>>> <ignore>C:\WINDOWS/iis6.log</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Prefetch</ignore> >>>>>>>>> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >>>>>>>>> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >>>>>>>>> <ignore>C:\WINDOWS/Temp</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/config</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/spool</ignore> >>>>>>>>> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >>>>>>>>> </syscheck> >>>>>>>>> </agent_config> >>>>>>>>> >>>>>>>>> <agent_config> >>>>>>>>> <rootcheck> >>>>>>>>> >>>>>>>>> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >>>>>>>>> >>>>>>>>> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>>>>>> >>>>>>>>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>>>> <ignore type="sregex">/OESP/www*</ignore> >>>>>>>>> </rootcheck> >>>>>>>>> </agent_config> >>>>>>>>> >>>>>>>>> >>>>>>>>>
