Upon review, that's the non-testing env. Apologies for the confusion.
Here is where it's not working:
</agent_config>
<agent_config os="Linux">
<syscheck>
<frequency>86400</frequency>
<scan_on_start>yes</scan_on_start>
<scan_time>03:00</scan_time>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories report_changes="yes" check_all="yes">/etc</directories>
<directories check_all="yes">/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/var/ossec</directories>
<ignore type="sregex">^/var/ossec/queue/</ignore>
<ignore type="sregex">^/var/ossec/logs/</ignore>
<ignore type="sregex">^/var/ossec/stats/</ignore>
<!-- Files/directories to ignore -->
<ignore type="sregex">^/var/spool/mail/</ignore>
<ignore type="sregex">^/var/spool/mqueue/</ignore>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
On Wednesday, November 28, 2012 9:35:40 AM UTC-6, dan (ddpbsd) wrote:
>
> On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 <[email protected]<javascript:>>
> wrote:
> > ossec.conf on server, relevant portion:
> >
> > <directories report_changes="yes"
> > check_all="yes">/etc,/var/ossec/etc</directories>
> > <directories check_all="yes">/usr/bin,/usr/sbin</directories>
> > <directories check_all="yes">/bin,/sbin</directories>
> > <directories report_changes="yes"
> > check_all="yes">/home/*/.ssh</directories>
> >
> > ###############################
> >
> > agent.conf on remote client, AIX:
> >
> > <agent_config os="AIX">
> >
> > <syscheck>
> > <frequency>86400</frequency>
> > <scan_on_start>no</scan_on_start>
> > <scan_time>03:30</scan_time>
> > <auto_ignore>false</auto_ignore>
> >
> > <!-- Directories to check (perform all possible verifications) -->
> > <directories check_all="yes">/usr/bin,/usr/sbin</directories>
> > <directories check_all="yes">/bin,/sbin</directories>
> >
> > <directories report_changes="yes" check_all="yes">/etc</directories>
> > <ignore type="sregex">^/etc/objrepos/</ignore>
> > <ignore>/etc/mtab</ignore>
> > <ignore>/etc/perf</ignore>
> > <ignore>/etc/es/objrepos</ignore>
> > <ignore>/etc/lp/diagnostics</ignore>
> > <ignore>/etc/lpp/diagnostics</ignore>
> > <ignore>/etc/mnttab</ignore>
> > <ignore>/etc/hosts.deny</ignore>
> > <ignore>/etc/mail/statistics</ignore>
> > <ignore>/etc/random-seed</ignore>
> > <ignore>/etc/adjtime</ignore>
> > <ignore>/etc/httpd/logs</ignore>
> > <ignore>/etc/utmp</ignore>
> > <ignore>/etc/wtmp</ignore>
> > <ignore>/etc/utmpx</ignore>
> > <ignore>/etc/wtmpx</ignore>
> > <ignore>/etc/cups/certs</ignore>
> > <ignore>/etc/dumpdates</ignore>
> > <ignore>/etc/svc/volatile</ignore>
> > <ignore>/etc/prelink.cache</ignore>
> > <ignore>/etc/security/failedlogin</ignore>
> >
> > <directories check_all="yes">/opt</directories>
> > <ignore>/opt/splunkforwarder</ignore>
> > <ignore>/opt/recon</ignore>
> > <ignore>/opt/IBM</ignore>
> >
> > <directories check_all="yes">/var/ossec</directories>
> > <ignore type="sregex">^/var/ossec/queue/</ignore>
> > <ignore type="sregex">^/var/ossec/logs/</ignore>
> > <ignore type="sregex">^/var/ossec/stats/</ignore>
> >
> > </syscheck>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/adm/secure/secure.out</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/adm/syslog/kern.out</location>
> > </localfile>
> >
> > </agent_config>
> >
> > #################
> >
> > agent.conf, linux:
> >
> > <agent_config os="Linux">
> > <syscheck>
> > <frequency>86400</frequency>
> > <scan_on_start>yes</scan_on_start>
> > <scan_time>03:00</scan_time>
> > <auto_ignore>false</auto_ignore>
> >
> > <!-- Directories to check (perform all possible verifications) -->
> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> > <directories check_all="yes">/bin,/sbin</directories>
> >
> > <directories check_all="yes">/var/ossec</directories>
>
>
> You don't have report_changes set.
>
> > <ignore type="sregex">^/var/ossec/queue/</ignore>
> > <ignore type="sregex">^/var/ossec/logs/</ignore>
> > <ignore type="sregex">^/var/ossec/stats/</ignore>
> >
> > <!-- Files/directories to ignore -->
> > <ignore type="sregex">^/var/spool/mail/</ignore>
> > <ignore type="sregex">^/var/spool/mqueue/</ignore>
> > <ignore>/etc/mtab</ignore>
> > <ignore>/etc/mnttab</ignore>
> > <ignore>/etc/hosts.deny</ignore>
> > <ignore>/etc/mail/statistics</ignore>
> > <ignore>/etc/random-seed</ignore>
> > <ignore>/etc/adjtime</ignore>
> > <ignore>/etc/httpd/logs</ignore>
> > <ignore>/etc/utmpx</ignore>
> > <ignore>/etc/wtmpx</ignore>
> > <ignore>/etc/cups/certs</ignore>
> > <ignore>/etc/dumpdates</ignore>
> > <ignore>/etc/svc/volatile</ignore>
> >
> > </syscheck>
> >
> > <!-- Files to monitor (localfiles) -->
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/messages</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/secure</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/maillog</location>
> > </localfile>
> >
> > </agent_config>
> >
> >
> >
> >
> > On Thursday, November 15, 2012 2:20:11 PM UTC-6, Jb Cheng wrote:
> >>
> >> This is strange --- AIX works OK, but Linux does not.
> >> I would like to reproduce the issue on Linux. Could you post the
> relevant
> >> ossec.conf section here?
> >>
> >> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote:
> >>>
> >>> It's worth noting that this is only occurring in our Linux
> environment.
> >>> The AIX agents are correctly reporting diffs with file integrity
> alerts.
> >>> Both AIX and Linux syscheck directives have the same contents on
> >>> client/server.
> >>>
> >>> Is there any way to debug this? I've set syscheck debug level to 2 on
> >>> client and see no change in logging. It's very frustrating as a.) the
> alert
> >>> is triggering and, b.) the diff is appearing in
> >>> /var/ossec/queue/diff/local/etc/<file>, but it's not being reported
> with the
> >>> alert.
> >>>
> >>> On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote:
> >>>>
> >>>> Trying to include filesystem integrity alert diffs.
> >>>>
> >>>> Testing with /etc
> >>>>
> >>>> I have verified that both ossec.conf on server and
> >>>> /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc.
> >>>> /var/ossec/queue/diff/local/etc/fstab folder includes the diff file
> on
> >>>> the client.
> >>>>
> >>>> The alert triggers, but the diff is not included with the alert. Is
> >>>> there some other hidden setting I need to look for? Does ossec.conf
> on the
> >>>> server need to match agent.conf on the client?
> >>>>
> >
>
