On Thu, Dec 20, 2012 at 1:21 PM, Lsilverman <[email protected]> wrote: > Still the same issue. I upgraded my manager to 2.7, not my agents. > > I am monitoring c:\inetpub but ignoring regex ^C:\inetpub\mailroot > > I continue to get alerts like: > > Integrity checksum changed for: > 'C:\Inetpub/mailroot/Badmail/348972394723894723894.BDR' > > > Here is a snippet of my config: > > > <syscheck> > <alert_new_files>yes</alert_new_files> > <directories realtime="yes" check_all="yes">C:\Inetpub</directories> > <ignore type="sregex">^C:\Inetpub\mailroot</ignore> > > </syscheck> > > > > Any ideas what I am doing wrong? > > Thanks!!! >
Not really. The only strange thing I see is the direction of your slashes. From an example in the ossec.conf: <ignore>C:\WINDOWS/System32/LogFiles</ignore> Other than that, no clue. > > > On Thursday, December 20, 2012 9:21:20 AM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Dec 20, 2012 at 9:13 AM, Lsilverman >> <[email protected]> wrote: >> > Forgive me, I was removing identifying information and mistyped. >> > >> > This is from my agent: >> > <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> >> > >> > >> > and this is the alert I get: >> > Integrity checksum changed for: >> > 'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt' >> > >> >> Did you restart the OSSEC processes? I don't know if the case matters >> or not. I guess you could also try an sregex: >> >> <ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore> >> >> > >> > Do I add any ignores to the manager or is it strictly agent based? >> > >> >> IIRC, if you add them to the manager they will be ignored from all >> agents. If you add them to the agents they will only be ignored on >> those agents. >> >> > Thank you so so so much. To show my appreciation, I am trying to help >> > you >> > out answering questions in the group :) >> > >> > Thanks >> > >> > >> > >> > >> > On Thursday, December 20, 2012 8:27:33 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman >> >> <[email protected]> wrote: >> >> > I am monitoring my inetpub folder on a webserver and ignoring log >> >> > files/folders within inetpub. For some reason ossec sends me email >> >> > alerts >> >> > for files/folders that I am ignoring. Can someone look at my config >> >> > and >> >> > help >> >> > me understand what's wrong? (Dan, looking at you buddy :) :) :)) >> >> > >> >> > From OSSEC.conf on the agent: >> >> > <syscheck> >> >> > <alert_new_files>yes</alert_new_files> >> >> > <directories realtime="yes" >> >> > check_all="yes">C:\inetpub</directories> >> >> > <ignore>C:\Inetpub\mailroot</ignore> >> >> > <ignore>C:\Inetpub\wwwroot\app1\logs</ignore> >> >> > <ignore>C:\Inetpub\wwwroot\app2\logs</ignore> >> >> > <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore> >> >> > <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore> >> >> > </syscheck> >> >> > </ossec_config> >> >> > >> >> > I keep getting email alerts like: >> >> > >> >> > Rule: 550 fired (level 14) -> "Integrity checksum changed of >> >> > monitored >> >> > file." >> >> > Portion of the log(s): >> >> > >> >> > Integrity checksum changed for: >> >> > 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt' >> >> > >> >> >> >> You don't have this path defined above. You have >> >> "<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead. >> >> >> >> > >> >> > OSSEC is correct that the file it is showing me has changed but I >> >> > have >> >> > marked that folder to be ignored. I know that ossec scans all >> >> > files/folders >> >> > but should choose to alert on files NOT being ignored. Is my config >> >> > bad? >> >> > Should I add my ignores to the manager and not the agent conf? >> >> > >> >> > >> >> > Any help is greatly appreciated. Thanks in advance. >> >> > >> >> > >> >> > >> >> >> >> Make sure you restart the agent processes after adding the correct >> >> ignores.
