Hey!
I'm having a bit of a problem getting real time monitoring to work
properly. I have a specific directory that I would like to have it keep a
check on for any new file that gets created.
Here is my ossec.conf
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>180</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes"
realtime="yes">/home/josh1/Documents</directories>
<directories check_all="yes">/bin,/sbin</directories>
...
The problem is that new files are only logged in alerts.log when the
syscheck scan runs, which can be as much as 5 minutes between scans. This
causes the timestamp to be screwed up in my log.
Here is the output of ossec.log:
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/auth.log'.
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/syslog'.
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/mail.info'.
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/dpkg.log'.
2013/07/24 10:49:00 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/snort/alert'.
2013/07/24 10:49:00 ossec-logcollector: INFO: Started (pid: 2423).
2013/07/24 10:50:01 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/07/24 10:50:01 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/07/24 10:50:01 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/07/24 10:50:43 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/07/24 10:50:55 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2013/07/24 10:51:15 ossec-syscheckd: INFO: Starting real time file
monitoring.
2013/07/24 10:51:15 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/07/24 11:01:57 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/07/24 11:01:57 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:02:58 ossec-syscheckd: INFO: Ending syscheck scan.
2013/07/24 11:07:58 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:08:59 ossec-syscheckd: INFO: Ending syscheck scan.
2013/07/24 11:13:59 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:15:00 ossec-syscheckd: INFO: Ending syscheck scan.
2013/07/24 11:20:00 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:21:01 ossec-syscheckd: INFO: Ending syscheck scan.
2013/07/24 11:26:01 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:27:02 ossec-syscheckd: INFO: Ending syscheck scan.
2013/07/24 11:32:02 ossec-syscheckd: INFO: Starting syscheck scan.
2013/07/24 11:33:03 ossec-syscheckd: INFO: Ending syscheck scan.
Here is one of the alerts from my alerts.log where I created a new file in
the specified directory.
** Alert 1374678117.10200: mail - local,syslog,syscheck,
2013 Jul 24 11:01:57 debian1->syscheck
Rule: 554 (level 16) -> 'File added to the system.'
New file '/home/josh1/Documents/testfile1.txt' added to the file system.
As you can see the timestamp corresponds directly with the first syscheck
scan that is ran even though I created the file several minutes earlier.
I have already made sure that inotify.h exists in /usr/include/sys/ as
another post had suggested x86_64 Linux distributions did not contain that
file in that directory.
Does my configuration look okay? What am I missing to get real time
monitoring to work?
Any help would be greatly appreciated
Thanks,
Josh
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
