I thought it was very odd that the email alerts I receive display the
slashes as if it were a linux box. I always wrote it off as a funky
linux manager / windows agent phenomena :)
I am now experimenting with writing my <ignore> rules using the forward
slashes. Rather than ignoring c:\monitored\logs I am trying
c:\monitored/logs
I will report back my results!
Thanks
Lou
On 12/20/2012 3:16 PM, dan (ddp) wrote:
On Thu, Dec 20, 2012 at 1:21 PM, Lsilverman
<[email protected]> wrote:
Still the same issue. I upgraded my manager to 2.7, not my agents.
I am monitoring c:\inetpub but ignoring regex ^C:\inetpub\mailroot
I continue to get alerts like:
Integrity checksum changed for:
'C:\Inetpub/mailroot/Badmail/348972394723894723894.BDR'
Here is a snippet of my config:
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes" check_all="yes">C:\Inetpub</directories>
<ignore type="sregex">^C:\Inetpub\mailroot</ignore>
</syscheck>
Any ideas what I am doing wrong?
Thanks!!!
Not really. The only strange thing I see is the direction of your
slashes. From an example in the ossec.conf:
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
Other than that, no clue.
On Thursday, December 20, 2012 9:21:20 AM UTC-5, dan (ddpbsd) wrote:
On Thu, Dec 20, 2012 at 9:13 AM, Lsilverman
<[email protected]> wrote:
Forgive me, I was removing identifying information and mistyped.
This is from my agent:
<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
and this is the alert I get:
Integrity checksum changed for:
'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt'
Did you restart the OSSEC processes? I don't know if the case matters
or not. I guess you could also try an sregex:
<ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore>
Do I add any ignores to the manager or is it strictly agent based?
IIRC, if you add them to the manager they will be ignored from all
agents. If you add them to the agents they will only be ignored on
those agents.
Thank you so so so much. To show my appreciation, I am trying to help
you
out answering questions in the group :)
Thanks
On Thursday, December 20, 2012 8:27:33 AM UTC-5, dan (ddpbsd) wrote:
On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman
<[email protected]> wrote:
I am monitoring my inetpub folder on a webserver and ignoring log
files/folders within inetpub. For some reason ossec sends me email
alerts
for files/folders that I am ignoring. Can someone look at my config
and
help
me understand what's wrong? (Dan, looking at you buddy :) :) :))
From OSSEC.conf on the agent:
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes"
check_all="yes">C:\inetpub</directories>
<ignore>C:\Inetpub\mailroot</ignore>
<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
<ignore>C:\Inetpub\wwwroot\app2\logs</ignore>
<ignore>C:\Inetpub\wwwroot\app1\Imports</ignore>
<ignore>C:\Inetpub\wwwroot\app2\Imports</ignore>
</syscheck>
</ossec_config>
I keep getting email alerts like:
Rule: 550 fired (level 14) -> "Integrity checksum changed of
monitored
file."
Portion of the log(s):
Integrity checksum changed for:
'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt'
You don't have this path defined above. You have
"<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead.
OSSEC is correct that the file it is showing me has changed but I
have
marked that folder to be ignored. I know that ossec scans all
files/folders
but should choose to alert on files NOT being ignored. Is my config
bad?
Should I add my ignores to the manager and not the agent conf?
Any help is greatly appreciated. Thanks in advance.
Make sure you restart the agent processes after adding the correct
ignores.
