On Wed, Oct 24, 2012 at 2:01 PM, Scott <[email protected]> wrote: > If there is no timer does this mean once a file has changed 3 times there is > no more notification of that file changing? >
Correct. > If that is so, where can I change this value? > Which value? > On Friday, October 19, 2012 7:02:40 PM UTC-7, Jb Cheng wrote: >> >> I am not aware there is a timer to reset after a file is modified the 3rd >> time. >> You can look at syscheck database files under /var/ossec/queue/syscheck/ >> directory. >> The first three characters of each line show how many times a file has >> been changed. >> "+++" means unchanged, while "!!!" means it has been changed 3 times. >> >> For your testing, you can use 'syscheck_control -u <agent_id>' to clear >> the agent syscheck database. >> >> bin/syscheck_control >> -u <id> Updates (clear) the database for the agent. >> >> >> On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote: >>> >>> Hi Dan, >>> >>> Thanks for the reply. My global set up is fine and I am getting many >>> OSSEC emails to my global email. This is a recent new addition by me to do >>> the single file monitoring and notification. File monitoring looks to be >>> doing pretty well when I look at my OSSEC web ui. >>> >>> The best clue I have is when I check from the OSSEC server manager for >>> this particular client server, I see some file changed entries about 1.5 >>> weeks ago, including 1st, 2nd and 3rd time modified. On the client server I >>> see more recent entries in the queue diff directory, including diff updates. >>> I don't know what the default timers are for when a file changes that it >>> stops alerting after 3 notifications (does that last 1 day, etc. before more >>> notifications would be sent to the server). >>> >>> At this point it looks like a disconnect between what the client sees vs. >>> what the server is getting. Any ideas? >>> >>> >>> On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote: >>>> >>>> I am trying to monitor one specific file on one server for any changes >>>> and to send email notification to several individuals when that file >>>> changes, no matter how often it changes, and including a diff of the >>>> changes. I am using a centralized configuration to manage ossec agents. The >>>> client server is running AIX 5.3 (so no real time monitoring available). >>>> >>>> My .../ossec/etc/shared/agent.conf file is broken down by OS type, e.g. >>>> <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. To >>>> this >>>> file I added machine specific configuration to monitor my specific file >>>> (/usr/local/filename), i.e.: >>>> >>>> <agent_config name="aixserver11"> >>>> <syscheck> >>>> <frequency>900</frequency> >>>> <directories check_all="yes" >>>> report_changes="yes">/usr/local/filename</directories> >>>> </syscheck> >>>> </agent_config> >>>> >>>> From what I read you can either specify a full filename to monitor or >>>> you can use the restrict parameter to monitor a single file. The frequency >>>> is pretty short here for testing. >>>> >>>> As I understand it config matches are cumulative so both the AIX config >>>> and the aixserver11 config should apply to this server, and it appears to >>>> be >>>> doing so. I can see in my .../ossec/queue/diff/local directory the file is >>>> showing up and in the OSSEC log file on that server I see it is monitoring >>>> that specific file. My main problem is with email notification. While OSSEC >>>> is certainly sending out some emails, I am trying to get this one >>>> particular >>>> syscheck to notify others when this file changes. From what I've read this >>>> is done in the ossec.conf file on the main OSSEC server. I have it set up >>>> as >>>> so (within the <ossec_config> section): >>>> >>>> <email_alerts> >>>> <email_to>[email protected]</email_to> (email address modified for posting) >>>> <event_location>aixserver11</event_location> >>>> <group>syscheck</group> >>>> <do_not_delay /> >>>> <do_not_group /> >>>> </email_alerts> >>>> >>>> The do_not_delay and do_not_group are in there for testing, I am not >>>> sure if they are really needed or not. In any case I am not getting any >>>> emails sent to the email address when changes occur, although I am seeing >>>> new diff files show up on the aix server. I realize that I have not >>>> tailored >>>> the email notification to *only* the one file being changed but probably >>>> for >>>> any syscheck file changes on that server (under the aix config some >>>> standard >>>> directories are being monitored for changes) - it would be nice to address >>>> that as well. In one case a change was made and yet never detected until I >>>> restarted the OSSEC agent on the aix server. >>>> >>>> Any help with this would be appreciated. >>>> >
