Hi Dan, Thanks for the reply. My global set up is fine and I am getting many OSSEC emails to my global email. This is a recent new addition by me to do the single file monitoring and notification. File monitoring looks to be doing pretty well when I look at my OSSEC web ui.
The best clue I have is when I check from the OSSEC server manager for this particular client server, I see some file changed entries about 1.5 weeks ago, including 1st, 2nd and 3rd time modified. On the client server I see more recent entries in the queue diff directory, including diff updates. I don't know what the default timers are for when a file changes that it stops alerting after 3 notifications (does that last 1 day, etc. before more notifications would be sent to the server). At this point it looks like a disconnect between what the client sees vs. what the server is getting. Any ideas? On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote: > > I am trying to monitor one specific file on one server for any changes and > to send email notification to several individuals when that file changes, > no matter how often it changes, and including a diff of the changes. I am > using a centralized configuration to manage ossec agents. The client server > is running AIX 5.3 (so no real time monitoring available). > > My .../ossec/etc/shared/agent.conf file is broken down by OS type, e.g. > <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. To > this file I added machine specific configuration to monitor my specific > file (/usr/local/filename), i.e.: > > <agent_config name="aixserver11"> > <syscheck> > <frequency>900</frequency> > <directories check_all="yes" > report_changes="yes">/usr/local/filename</directories> > </syscheck> > </agent_config> > > From what I read you can either specify a full filename to monitor or you > can use the restrict parameter to monitor a single file. The frequency is > pretty short here for testing. > > As I understand it config matches are cumulative so both the AIX config > and the aixserver11 config should apply to this server, and it appears to > be doing so. I can see in my .../ossec/queue/diff/local directory the file > is showing up and in the OSSEC log file on that server I see it is > monitoring that specific file. My main problem is with email notification. > While OSSEC is certainly sending out some emails, I am trying to get this > one particular syscheck to notify others when this file changes. From what > I've read this is done in the ossec.conf file on the main OSSEC server. I > have it set up as so (within the <ossec_config> section): > > <email_alerts> > <email_to>[email protected]</email_to> (email address modified for posting) > <event_location>aixserver11</event_location> > <group>syscheck</group> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > The do_not_delay and do_not_group are in there for testing, I am not sure > if they are really needed or not. In any case I am not getting any emails > sent to the email address when changes occur, although I am seeing new diff > files show up on the aix server. I realize that I have not tailored the > email notification to *only* the one file being changed but probably for > any syscheck file changes on that server (under the aix config some > standard directories are being monitored for changes) - it would be nice to > address that as well. In one case a change was made and yet never detected > until I restarted the OSSEC agent on the aix server. > > Any help with this would be appreciated. > >
