I am not aware there is a timer to reset after a file is modified the 3rd
time.
You can look at syscheck database files under /var/ossec/queue/syscheck/
directory.
The first three characters of each line show how many times a file has been
changed.
"+++" means unchanged, while "!!!" means it has been changed 3 times.
For your testing, you can use 'syscheck_control -u <agent_id>' to clear the
agent syscheck database.
bin/syscheck_control
-u <id> Updates (clear) the database for the agent.
On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote:
>
> Hi Dan,
>
> Thanks for the reply. My global set up is fine and I am getting many
> OSSEC emails to my global email. This is a recent new addition by me to do
> the single file monitoring and notification. File monitoring looks to be
> doing pretty well when I look at my OSSEC web ui.
>
> The best clue I have is when I check from the OSSEC server manager for
> this particular client server, I see some file changed entries about 1.5
> weeks ago, including 1st, 2nd and 3rd time modified. On the client server
> I see more recent entries in the queue diff directory, including diff
> updates. I don't know what the default timers are for when a file changes
> that it stops alerting after 3 notifications (does that last 1 day, etc.
> before more notifications would be sent to the server).
>
> At this point it looks like a disconnect between what the client sees vs.
> what the server is getting. Any ideas?
>
>
> On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote:
>>
>> I am trying to monitor one specific file on one server for any changes
>> and to send email notification to several individuals when that file
>> changes, no matter how often it changes, and including a diff of the
>> changes. I am using a centralized configuration to manage ossec agents. The
>> client server is running AIX 5.3 (so no real time monitoring available).
>>
>> My .../ossec/etc/shared/agent.conf file is broken down by OS type, e.g.
>> <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. To
>> this file I added machine specific configuration to monitor my specific
>> file (/usr/local/filename), i.e.:
>>
>> <agent_config name="aixserver11">
>> <syscheck>
>> <frequency>900</frequency>
>> <directories check_all="yes"
>> report_changes="yes">/usr/local/filename</directories>
>> </syscheck>
>> </agent_config>
>>
>> From what I read you can either specify a full filename to monitor or you
>> can use the restrict parameter to monitor a single file. The frequency is
>> pretty short here for testing.
>>
>> As I understand it config matches are cumulative so both the AIX config
>> and the aixserver11 config should apply to this server, and it appears to
>> be doing so. I can see in my .../ossec/queue/diff/local directory the file
>> is showing up and in the OSSEC log file on that server I see it is
>> monitoring that specific file. My main problem is with email notification.
>> While OSSEC is certainly sending out some emails, I am trying to get this
>> one particular syscheck to notify others when this file changes. From what
>> I've read this is done in the ossec.conf file on the main OSSEC server. I
>> have it set up as so (within the <ossec_config> section):
>>
>> <email_alerts>
>> <email_to>[email protected] <javascript:></email_to> (email address
>> modified for posting)
>> <event_location>aixserver11</event_location>
>> <group>syscheck</group>
>> <do_not_delay />
>> <do_not_group />
>> </email_alerts>
>>
>> The do_not_delay and do_not_group are in there for testing, I am not sure
>> if they are really needed or not. In any case I am not getting any emails
>> sent to the email address when changes occur, although I am seeing new diff
>> files show up on the aix server. I realize that I have not tailored the
>> email notification to *only* the one file being changed but probably for
>> any syscheck file changes on that server (under the aix config some
>> standard directories are being monitored for changes) - it would be nice to
>> address that as well. In one case a change was made and yet never detected
>> until I restarted the OSSEC agent on the aix server.
>>
>> Any help with this would be appreciated.
>>
>>
