All,
I just did a fresh, fairly vanilla install of OSSEC 2.7 (official release).
I'm getting mixed results with realtime alerts - sometimes it works fine,
sometimes the 'diff' file doesn't reflect the change minutes after I have
made it, while other times the 'diff' file is showing the change but I
don't receive an alert.
Is there something obvious I am missing? Relevant snippets of information:
cat /etc/redhat-release
CentOS release 6.4 (Final)
rpm -ql kernel-devel | grep inotify
/usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify
/usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify/Kconfig
/usr/src/kernels/2.6.32-358.el6.x86_64/fs/notify/inotify/Makefile
/usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify
/usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify.h
/usr/src/kernels/2.6.32-358.el6.x86_64/include/config/inotify/user.h
/usr/src/kernels/2.6.32-358.el6.x86_64/include/linux/inotify.h
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify/Kconfig
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/fs/notify/inotify/Makefile
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify.h
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/config/inotify/user.h
/usr/src/kernels/2.6.32-358.2.1.el6.x86_64/include/linux/inotify.h
rpm -qa | grep kernel
kernel-devel-2.6.32-358.el6.x86_64
libreport-plugin-kerneloops-2.0.9-15.el6.centos.x86_64
abrt-addon-kerneloops-2.0.8-15.el6.centos.x86_64
kernel-firmware-2.6.32-358.2.1.el6.noarch
kernel-headers-2.6.32-358.2.1.el6.x86_64
dracut-kernel-004-303.el6.noarch
kernel-2.6.32-358.2.1.el6.x86_64
kernel-2.6.32-358.el6.x86_64
kernel-devel-2.6.32-358.2.1.el6.x86_64
<syscheck>
<frequency>79200</frequency>
<auto_ignore>no</auto_ignore>
<scan_on_start>no</scan_on_start>
<directories realtime="yes" report_changes="yes"
check_all="yes">/tmp/demo</directories>
</syscheck>
date
Wed Mar 27 07:10:03 PDT 2013
/var/ossec/queue/diff/local/tmp/demo/test
[root@manager test]# ll
total 16
-rw-r--r--. 1 root root 11 Mar 27 05:51 diff.1364388706
-rw-r--r--. 1 root root 12 Mar 27 06:50 diff.1364392256
-rw-r--r--. 1 root root 11 Mar 27 06:50 last-entry
-rw-r--r--. 1 root root 0 Mar 27 05:43 state.1364388217
-rw-r--r--. 1 root root 5 Mar 27 05:51 state.1364388706
-rw-r--r--. 1 root root 47 Mar 27 07:09 /tmp/demo/test
I did verify that real time monitoring was started and rootcheck was
complete before I attempted my test:
2013/03/27 07:02:00 ossec-testrule: INFO: Reading local decoder file.
2013/03/27 07:02:00 ossec-testrule: INFO: Started (pid: 15023).
2013/03/27 07:02:00 ossec-maild: INFO: E-Mail notification disabled. Clean
Exit.
2013/03/27 07:02:00 ossec-execd: INFO: Started (pid: 15046).
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading local decoder file.
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'web_appsec_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ms-se_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'openbsd_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'clam_av_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'bro-ids_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'dropbear_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2013/03/27 07:02:00 ossec-analysisd: INFO: Total rules enabled: '1313'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/03/27 07:02:00 ossec-analysisd: INFO: Ignoring file:
'/etc/svc/volatile'
2013/03/27 07:02:00 ossec-analysisd: INFO: No IP in the white list for
active reponse.
2013/03/27 07:02:00 ossec-analysisd: INFO: No Hostname in the white list
for active reponse.
2013/03/27 07:02:00 ossec-analysisd: INFO: Started (pid: 15050).
2013/03/27 07:02:00 ossec-remoted: INFO: Started (pid: 15058).
2013/03/27 07:02:00 ossec-remoted: INFO: Started (pid: 15059).
2013/03/27 07:02:00 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
2013/03/27 07:02:00 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2013/03/27 07:02:00 ossec-remoted(1410): INFO: Reading authentication keys
file.
2013/03/27 07:02:00 ossec-remoted: INFO: Assigning counter for agent agent:
'0:8827'.
2013/03/27 07:02:00 ossec-remoted: INFO: Assigning counter for agent
kibana: '1:3532'.
2013/03/27 07:02:00 ossec-remoted: INFO: Assigning sender counter: 0:1039
2013/03/27 07:02:00 ossec-monitord: INFO: Started (pid: 15068).
2013/03/27 07:02:03 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
(active-response queue)
2013/03/27 07:02:03 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
2013/03/27 07:02:04 ossec-syscheckd: INFO: Started (pid: 15065).
2013/03/27 07:02:04 ossec-rootcheck: INFO: Started (pid: 15065).
2013/03/27 07:02:04 ossec-syscheckd: INFO: Monitoring directory:
'/tmp/demo'.
2013/03/27 07:02:04 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/tmp/demo'.
2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2013/03/27 07:02:06 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring output of
command(360): df -h
2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring full output of
command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2013/03/27 07:02:06 ossec-logcollector: INFO: Monitoring full output of
command(360): last -n 5
2013/03/27 07:02:06 ossec-logcollector: INFO: Started (pid: 15053).
Thanks,
Chris
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
