I want notification to continue no matter how many times a file changes, not just 3 times.
On Wednesday, October 24, 2012 11:08:09 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Oct 24, 2012 at 2:01 PM, Scott <[email protected] <javascript:>> > wrote: > > If there is no timer does this mean once a file has changed 3 times > there is > > no more notification of that file changing? > > > > Correct. > > > If that is so, where can I change this value? > > > > Which value? > > > On Friday, October 19, 2012 7:02:40 PM UTC-7, Jb Cheng wrote: > >> > >> I am not aware there is a timer to reset after a file is modified the > 3rd > >> time. > >> You can look at syscheck database files under > /var/ossec/queue/syscheck/ > >> directory. > >> The first three characters of each line show how many times a file has > >> been changed. > >> "+++" means unchanged, while "!!!" means it has been changed 3 times. > >> > >> For your testing, you can use 'syscheck_control -u <agent_id>' to clear > >> the agent syscheck database. > >> > >> bin/syscheck_control > >> -u <id> Updates (clear) the database for the agent. > >> > >> > >> On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote: > >>> > >>> Hi Dan, > >>> > >>> Thanks for the reply. My global set up is fine and I am getting many > >>> OSSEC emails to my global email. This is a recent new addition by me > to do > >>> the single file monitoring and notification. File monitoring looks to > be > >>> doing pretty well when I look at my OSSEC web ui. > >>> > >>> The best clue I have is when I check from the OSSEC server manager for > >>> this particular client server, I see some file changed entries about > 1.5 > >>> weeks ago, including 1st, 2nd and 3rd time modified. On the client > server I > >>> see more recent entries in the queue diff directory, including diff > updates. > >>> I don't know what the default timers are for when a file changes that > it > >>> stops alerting after 3 notifications (does that last 1 day, etc. > before more > >>> notifications would be sent to the server). > >>> > >>> At this point it looks like a disconnect between what the client sees > vs. > >>> what the server is getting. Any ideas? > >>> > >>> > >>> On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote: > >>>> > >>>> I am trying to monitor one specific file on one server for any > changes > >>>> and to send email notification to several individuals when that file > >>>> changes, no matter how often it changes, and including a diff of the > >>>> changes. I am using a centralized configuration to manage ossec > agents. The > >>>> client server is running AIX 5.3 (so no real time monitoring > available). > >>>> > >>>> My .../ossec/etc/shared/agent.conf file is broken down by OS type, > e.g. > >>>> <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. > To this > >>>> file I added machine specific configuration to monitor my specific > file > >>>> (/usr/local/filename), i.e.: > >>>> > >>>> <agent_config name="aixserver11"> > >>>> <syscheck> > >>>> <frequency>900</frequency> > >>>> <directories check_all="yes" > >>>> report_changes="yes">/usr/local/filename</directories> > >>>> </syscheck> > >>>> </agent_config> > >>>> > >>>> From what I read you can either specify a full filename to monitor or > >>>> you can use the restrict parameter to monitor a single file. The > frequency > >>>> is pretty short here for testing. > >>>> > >>>> As I understand it config matches are cumulative so both the AIX > config > >>>> and the aixserver11 config should apply to this server, and it > appears to be > >>>> doing so. I can see in my .../ossec/queue/diff/local directory the > file is > >>>> showing up and in the OSSEC log file on that server I see it is > monitoring > >>>> that specific file. My main problem is with email notification. While > OSSEC > >>>> is certainly sending out some emails, I am trying to get this one > particular > >>>> syscheck to notify others when this file changes. From what I've read > this > >>>> is done in the ossec.conf file on the main OSSEC server. I have it > set up as > >>>> so (within the <ossec_config> section): > >>>> > >>>> <email_alerts> > >>>> <email_to>[email protected]</email_to> (email address modified for > posting) > >>>> <event_location>aixserver11</event_location> > >>>> <group>syscheck</group> > >>>> <do_not_delay /> > >>>> <do_not_group /> > >>>> </email_alerts> > >>>> > >>>> The do_not_delay and do_not_group are in there for testing, I am not > >>>> sure if they are really needed or not. In any case I am not getting > any > >>>> emails sent to the email address when changes occur, although I am > seeing > >>>> new diff files show up on the aix server. I realize that I have not > tailored > >>>> the email notification to *only* the one file being changed but > probably for > >>>> any syscheck file changes on that server (under the aix config some > standard > >>>> directories are being monitored for changes) - it would be nice to > address > >>>> that as well. In one case a change was made and yet never detected > until I > >>>> restarted the OSSEC agent on the aix server. > >>>> > >>>> Any help with this would be appreciated. > >>>> > > >
