On Fri, Jun 21, 2013 at 2:58 AM, Taher <[email protected]> wrote: > Hello David and dan, > I think I am facing the same issue as David. > > So David, does this configuration in agent.conf on the OSSEC server, work? : > <agent_conf> > > <syscheck> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin<directories> > <directories check_all="yes">/bin,/sbin</directories> > <directories check_all="yes">/usr/local/sbin</directories> > <directories check_all="yes">/usr/local/bin</directories> > </syscheck> > </agent_conf> > > > Do you see "Integrity checksum changed" alerts from an agent on a > directory/file you specified in agent.conf file on the server? Was that > directory also specified in ossec.conf on the agent? > > We need to check if integrity alerts for an agent are generated for > directories/files not mentioned in ossec.conf (agent's side) but in > agent.conf (server side). > > I am only interested in the syscheck (FIM) part and not the logs on the > agents. >
Yes, that works. I've been using something like that for years. How did you test? After a syscheck scan is run is the file listed in /var/ossec/queue/syscheck/(AGENT_NAME)\ AGENT_IP->syscheck? > > > On Thursday, 20 June 2013 02:38:22 UTC+5:30, David Blanton wrote: >> >> If I have a <directories >> check_all="yes">/usr/local/bin,/sbin</directories> >> >> and <ignore>/opt/lampp</ignore> within my ossec.conf file (for example), >> does that mean that my agents will >> >> not abide by these rules? Are they only local rules for my OSSEC Server? >> >> Do these have to be specifically addressed for each agent, with their OS, >> name, ect. within agent.conf in order >> >> for agents to either ignore certain directories or check certain files and >> directories? >> >> >> The OSSEC 2.7 documentation and book does not specifically make any of >> these things clear. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
