I did restart ossec process at the time. I have added the regex and will
being experimenting with the results. I will report back.
Help me confirm if this is true:
Lets say I am monitoring directory *C:\monitored* but ignoring directory
*C:\monitored\logs*. If changes are made to a file in a subdir of
*C:\monitored\logs* (ex, *c:\monitored\logs\logdir1*), will OSSEC alert
to that? It then makes sense to then use the regex as we want to ignore
anything that begins with *c:\monitored\logs*.
Thanks
Lou
On 12/20/2012 9:21 AM, dan (ddp) wrote:
On Thu, Dec 20, 2012 at 9:13 AM, Lsilverman
<[email protected]> wrote:
Forgive me, I was removing identifying information and mistyped.
This is from my agent:
<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
and this is the alert I get:
Integrity checksum changed for:
'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt'
Did you restart the OSSEC processes? I don't know if the case matters
or not. I guess you could also try an sregex:
<ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore>
Do I add any ignores to the manager or is it strictly agent based?
IIRC, if you add them to the manager they will be ignored from all
agents. If you add them to the agents they will only be ignored on
those agents.
Thank you so so so much. To show my appreciation, I am trying to help you
out answering questions in the group :)
Thanks
On Thursday, December 20, 2012 8:27:33 AM UTC-5, dan (ddpbsd) wrote:
On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman
<[email protected]> wrote:
I am monitoring my inetpub folder on a webserver and ignoring log
files/folders within inetpub. For some reason ossec sends me email
alerts
for files/folders that I am ignoring. Can someone look at my config and
help
me understand what's wrong? (Dan, looking at you buddy :) :) :))
From OSSEC.conf on the agent:
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes" check_all="yes">C:\inetpub</directories>
<ignore>C:\Inetpub\mailroot</ignore>
<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
<ignore>C:\Inetpub\wwwroot\app2\logs</ignore>
<ignore>C:\Inetpub\wwwroot\app1\Imports</ignore>
<ignore>C:\Inetpub\wwwroot\app2\Imports</ignore>
</syscheck>
</ossec_config>
I keep getting email alerts like:
Rule: 550 fired (level 14) -> "Integrity checksum changed of monitored
file."
Portion of the log(s):
Integrity checksum changed for:
'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt'
You don't have this path defined above. You have
"<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead.
OSSEC is correct that the file it is showing me has changed but I have
marked that folder to be ignored. I know that ossec scans all
files/folders
but should choose to alert on files NOT being ignored. Is my config bad?
Should I add my ignores to the manager and not the agent conf?
Any help is greatly appreciated. Thanks in advance.
Make sure you restart the agent processes after adding the correct
ignores.
