To add to the confusion, this just started working for me after a restart of the agent and server (this is not the first time a restart was attempted). I'll keep digging to see if the issue presents itself again.
On Tue, Dec 4, 2012 at 1:05 PM, Jb Cheng <[email protected]> wrote: > I tried the following <syscheck> config on Linux centos 2.6.18. > <directories report_changes="yes" check_all="yes">/etc</directories> > Added a comment line a dummy file /etc/hosts.jb, the diff showed up under > queue/diff/local/etc/hosts.jb but did not show in alerts.log. > > TODO: Who can trace the source code to debug this issue? > > > On Wednesday, November 28, 2012 8:25:53 AM UTC-8, mcrane0 wrote: >> >> Upon review, that's the non-testing env. Apologies for the confusion. >> Here is where it's not working: >> >> </agent_config> >> >> <agent_config os="Linux"> >> <syscheck> >> <frequency>86400</frequency> >> <scan_on_start>yes</scan_on_**start> >> <scan_time>03:00</scan_time> >> <auto_ignore>no</auto_ignore> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories report_changes="yes" check_all="yes">/etc</** >> directories> >> <directories check_all="yes">/usr/bin,/usr/**sbin</directories> >> <directories check_all="yes">/bin,/sbin</**directories> >> >> <directories check_all="yes">/var/ossec</**directories> >> <ignore type="sregex">^/var/ossec/**queue/</ignore> >> <ignore type="sregex">^/var/ossec/**logs/</ignore> >> <ignore type="sregex">^/var/ossec/**stats/</ignore> >> >> <!-- Files/directories to ignore --> >> <ignore type="sregex">^/var/spool/**mail/</ignore> >> <ignore type="sregex">^/var/spool/**mqueue/</ignore> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</**ignore> >> <ignore>/etc/mail/statistics</**ignore> >> <ignore>/etc/random-seed</**ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</**ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</**ignore> >> <ignore>/etc/dumpdates</**ignore> >> <ignore>/etc/svc/volatile</**ignore> >> >> </syscheck> >> >> <!-- Files to monitor (localfiles) --> >> <localfile> >> <log_format>syslog</log_**format> >> <location>/var/log/messages</**location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_**format> >> <location>/var/log/secure</**location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_**format> >> <location>/var/log/maillog</**location> >> </localfile> >> >> </agent_config> >> >> >> On Wednesday, November 28, 2012 9:35:40 AM UTC-6, dan (ddpbsd) wrote: >>> >>> On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 <[email protected]> wrote: >>> > ossec.conf on server, relevant portion: >>> > >>> > <directories report_changes="yes" >>> > check_all="yes">/etc,/var/**ossec/etc</directories> >>> > <directories check_all="yes">/usr/bin,/usr/**sbin</directories> >>> > <directories check_all="yes">/bin,/sbin</**directories> >>> > <directories report_changes="yes" >>> > check_all="yes">/home/*/.ssh</**directories> >>> > >>> > ##############################**# >>> > >>> > agent.conf on remote client, AIX: >>> > >>> > <agent_config os="AIX"> >>> > >>> > <syscheck> >>> > <frequency>86400</frequency> >>> > <scan_on_start>no</scan_on_**start> >>> > <scan_time>03:30</scan_time> >>> > <auto_ignore>false</auto_**ignore> >>> > >>> > <!-- Directories to check (perform all possible verifications) >>> --> >>> > <directories check_all="yes">/usr/bin,/usr/**sbin</directories> >>> > <directories check_all="yes">/bin,/sbin</**directories> >>> > >>> > <directories report_changes="yes" check_all="yes">/etc</**directories> >>> >>> > <ignore type="sregex">^/etc/objrepos/<**/ignore> >>> > <ignore>/etc/mtab</ignore> >>> > <ignore>/etc/perf</ignore> >>> > <ignore>/etc/es/objrepos</**ignore> >>> > <ignore>/etc/lp/diagnostics</**ignore> >>> > <ignore>/etc/lpp/diagnostics</**ignore> >>> > <ignore>/etc/mnttab</ignore> >>> > <ignore>/etc/hosts.deny</**ignore> >>> > <ignore>/etc/mail/statistics</**ignore> >>> > <ignore>/etc/random-seed</**ignore> >>> > <ignore>/etc/adjtime</ignore> >>> > <ignore>/etc/httpd/logs</**ignore> >>> > <ignore>/etc/utmp</ignore> >>> > <ignore>/etc/wtmp</ignore> >>> > <ignore>/etc/utmpx</ignore> >>> > <ignore>/etc/wtmpx</ignore> >>> > <ignore>/etc/cups/certs</**ignore> >>> > <ignore>/etc/dumpdates</**ignore> >>> > <ignore>/etc/svc/volatile</**ignore> >>> > <ignore>/etc/prelink.cache</**ignore> >>> > <ignore>/etc/security/**failedlogin</ignore> >>> > >>> > <directories check_all="yes">/opt</**directories> >>> > <ignore>/opt/splunkforwarder</**ignore> >>> > <ignore>/opt/recon</ignore> >>> > <ignore>/opt/IBM</ignore> >>> > >>> > <directories check_all="yes">/var/ossec</**directories> >>> > <ignore type="sregex">^/var/ossec/**queue/</ignore> >>> > <ignore type="sregex">^/var/ossec/**logs/</ignore> >>> > <ignore type="sregex">^/var/ossec/**stats/</ignore> >>> > >>> > </syscheck> >>> > >>> > <localfile> >>> > <log_format>syslog</log_**format> >>> > <location>/var/adm/secure/**secure.out</location> >>> > </localfile> >>> > >>> > <localfile> >>> > <log_format>syslog</log_**format> >>> > <location>/var/adm/syslog/**kern.out</location> >>> > </localfile> >>> > >>> > </agent_config> >>> > >>> > ################# >>> > >>> > agent.conf, linux: >>> > >>> > <agent_config os="Linux"> >>> > <syscheck> >>> > <frequency>86400</frequency> >>> > <scan_on_start>yes</scan_on_**start> >>> > <scan_time>03:00</scan_time> >>> > <auto_ignore>false</auto_**ignore> >>> > >>> > <!-- Directories to check (perform all possible verifications) >>> --> >>> > <directories check_all="yes">/etc,/usr/bin,**/usr/sbin</directories> >>> >>> > <directories check_all="yes">/bin,/sbin</**directories> >>> > >>> > <directories check_all="yes">/var/ossec</**directories> >>> >>> >>> You don't have report_changes set. >>> >>> > <ignore type="sregex">^/var/ossec/**queue/</ignore> >>> > <ignore type="sregex">^/var/ossec/**logs/</ignore> >>> > <ignore type="sregex">^/var/ossec/**stats/</ignore> >>> > >>> > <!-- Files/directories to ignore --> >>> > <ignore type="sregex">^/var/spool/**mail/</ignore> >>> > <ignore type="sregex">^/var/spool/**mqueue/</ignore> >>> > <ignore>/etc/mtab</ignore> >>> > <ignore>/etc/mnttab</ignore> >>> > <ignore>/etc/hosts.deny</**ignore> >>> > <ignore>/etc/mail/statistics</**ignore> >>> > <ignore>/etc/random-seed</**ignore> >>> > <ignore>/etc/adjtime</ignore> >>> > <ignore>/etc/httpd/logs</**ignore> >>> > <ignore>/etc/utmpx</ignore> >>> > <ignore>/etc/wtmpx</ignore> >>> > <ignore>/etc/cups/certs</**ignore> >>> > <ignore>/etc/dumpdates</**ignore> >>> > <ignore>/etc/svc/volatile</**ignore> >>> > >>> > </syscheck> >>> > >>> > <!-- Files to monitor (localfiles) --> >>> > <localfile> >>> > <log_format>syslog</log_**format> >>> > <location>/var/log/messages</**location> >>> > </localfile> >>> > >>> > <localfile> >>> > <log_format>syslog</log_**format> >>> > <location>/var/log/secure</**location> >>> > </localfile> >>> > >>> > <localfile> >>> > <log_format>syslog</log_**format> >>> > <location>/var/log/maillog</**location> >>> > </localfile> >>> > >>> > </agent_config> >>> > >>> > >>> > >>> > >>> > On Thursday, November 15, 2012 2:20:11 PM UTC-6, Jb Cheng wrote: >>> >> >>> >> This is strange --- AIX works OK, but Linux does not. >>> >> I would like to reproduce the issue on Linux. Could you post the >>> relevant >>> >> ossec.conf section here? >>> >> >>> >> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote: >>> >>> >>> >>> It's worth noting that this is only occurring in our Linux >>> environment. >>> >>> The AIX agents are correctly reporting diffs with file integrity >>> alerts. >>> >>> Both AIX and Linux syscheck directives have the same contents on >>> >>> client/server. >>> >>> >>> >>> Is there any way to debug this? I've set syscheck debug level to 2 >>> on >>> >>> client and see no change in logging. It's very frustrating as a.) >>> the alert >>> >>> is triggering and, b.) the diff is appearing in >>> >>> /var/ossec/queue/diff/local/**etc/<file>, but it's not being >>> reported with the >>> >>> alert. >>> >>> >>> >>> On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote: >>> >>>> >>> >>>> Trying to include filesystem integrity alert diffs. >>> >>>> >>> >>>> Testing with /etc >>> >>>> >>> >>>> I have verified that both ossec.conf on server and >>> >>>> /var/ossec/etc/shared/agent.**conf has 'report_changes=yes' for >>> /etc. >>> >>>> /var/ossec/queue/diff/local/**etc/fstab folder includes the diff >>> file on >>> >>>> the client. >>> >>>> >>> >>>> The alert triggers, but the diff is not included with the alert. >>> Is >>> >>>> there some other hidden setting I need to look for? Does >>> ossec.conf on the >>> >>>> server need to match agent.conf on the client? >>> >>>> >>> > >>> >>
