I am trying to monitor one specific file on one server for any changes and to send email notification to several individuals when that file changes, no matter how often it changes, and including a diff of the changes. I am using a centralized configuration to manage ossec agents. The client server is running AIX 5.3 (so no real time monitoring available).
My .../ossec/etc/shared/agent.conf file is broken down by OS type, e.g. <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. To this file I added machine specific configuration to monitor my specific file (/usr/local/filename), i.e.: <agent_config name="aixserver11"> <syscheck> <frequency>900</frequency> <directories check_all="yes" report_changes="yes">/usr/local/filename</directories> </syscheck> </agent_config> >From what I read you can either specify a full filename to monitor or you can use the restrict parameter to monitor a single file. The frequency is pretty short here for testing. As I understand it config matches are cumulative so both the AIX config and the aixserver11 config should apply to this server, and it appears to be doing so. I can see in my .../ossec/queue/diff/local directory the file is showing up and in the OSSEC log file on that server I see it is monitoring that specific file. My main problem is with email notification. While OSSEC is certainly sending out some emails, I am trying to get this one particular syscheck to notify others when this file changes. From what I've read this is done in the ossec.conf file on the main OSSEC server. I have it set up as so (within the <ossec_config> section): <email_alerts> <email_to>[email protected]</email_to> (email address modified for posting) <event_location>aixserver11</event_location> <group>syscheck</group> <do_not_delay /> <do_not_group /> </email_alerts> The do_not_delay and do_not_group are in there for testing, I am not sure if they are really needed or not. In any case I am not getting any emails sent to the email address when changes occur, although I am seeing new diff files show up on the aix server. I realize that I have not tailored the email notification to *only* the one file being changed but probably for any syscheck file changes on that server (under the aix config some standard directories are being monitored for changes) - it would be nice to address that as well. In one case a change was made and yet never detected until I restarted the OSSEC agent on the aix server. Any help with this would be appreciated.
