glad it is working now. I'm pretty confident that check_diff can be applied to sub folder while not covering the parent folder - but I did not try it myself. As it is a simple setup - just do it - and please share your findings. -R
On Monday, September 16, 2013 6:46:22 AM UTC-7, Stephan Gomes Higuti wrote: > > Thankz Roy. > > I did some changes and its now working. > I configure the agents for using profiles, that are configured on > /var/ossec/etc/shared/agents.conf on server, and now its working fine. > About the diffs, i'm having some issues with it, for example: > > I'm watching real time the directory /home/tomcat, wich includes the > subdirectories /home/tomcat/bin, /home/tomcat/logs, > /home/tomcat/webapps, /home/tomcat/conf... > I want to have the report_changes only in /home/tomcat/conf, otherwise > it will consume a huge space in disk if I add the webapps directory > for report_changes as well. > So, is it correct to do like this: > > <directories realtime="yes" check_all="yes" > report_changes="yes">/home/tomcat/conf</directories> > <directories realtime="yes" check_all="yes">/home/tomcat</directories> > > Is there another way for do that or its as simple as that? > > Best Regards, > > Stephan > Att, > > Stephan Gomes Higuti > > > On 13 September 2013 14:31, Roy Feintuch <[email protected] <javascript:>> > wrote: > > Hi, > > 1. I think you are checking the wrong folder - queue/diff is used to > store > > the files where using 'report_changes' mode (full diff reporting) > > The syscheck db folder is at queue/syscheck > > > > 2. If this is a new installation - then it takes ossec some time to > start > > triggering some events (~1 day / 2 successful full scans while not > restating > > the agent) > > > > 3. Describe exactly what not working in relatime - how did you test > that? > > for what kind of event? For example new file added are never discovered > in > > realtime. > > > > -Roy > > > > > > On Wednesday, September 11, 2013 7:59:51 AM UTC-7, Stephan Gomes Higuti > > wrote: > >> > >> Hi! > >> > >> I'm having issues on Real Time detection and syscheck scan, look at > >> the time that syscheck took. > >> > >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck scan > >> (forwarding database). > >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck database > >> (pre-scan). > >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Initializing real time file > >> monitoring (not started). > >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > >> time monitoring: '/srv/www/'. > >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > >> time monitoring: '/home/XXXXXX/'. > >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > >> time monitoring: '/home/YYYYYYY/'. > >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Real time file monitoring > >> started. > >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Finished creating syscheck > >> database (pre-scan completed). > >> 2013/09/11 11:47:09 ossec-syscheckd: INFO: Ending syscheck scan > >> (forwarding database). > >> 2013/09/11 11:47:29 ossec-rootcheck: INFO: Starting rootcheck scan. > >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_files > >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on > check_rc_trojans > >> > >> > >> Realtime monitoring is not working aswell, here is my agent ossec.conf: > >> > >> <syscheck> > >> <!-- Frequency that syscheck is executed - default to every 22 > hours > >> --> > >> <frequency>21600</frequency> > >> > >> <scan_on_start>yes</scan_on_start> > >> <auto_ignore>no</auto_ignore> > >> <alert_new_files>yes</alert_new_files> > >> <!-- Directories to check (perform all possible verifications) --> > >> <directories report_changes="yes" > >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> <directories report_changes="yes" > >> check_all="yes">/bin,/sbin</directories> > >> <directories realtime="yes" > >> check_all="yes">/srv/www,/home/XXXXXX,/home/YYYYYY/apache</directories> > >> > >> <!-- Files/directories to ignore --> > >> <ignore>/etc/mtab</ignore> > >> <ignore>/etc/mnttab</ignore> > >> <ignore>/etc/hosts.deny</ignore> > >> <ignore>/etc/mail/statistics</ignore> > >> <ignore>/etc/random-seed</ignore> > >> <ignore>/etc/adjtime</ignore> > >> <ignore>/etc/httpd/logs</ignore> > >> <ignore>/etc/utmpx</ignore> > >> <ignore>/etc/wtmpx</ignore> > >> <ignore>/etc/cups/certs</ignore> > >> <ignore>/etc/dumpdates</ignore> > >> <ignore>/etc/svc/volatile</ignore> > >> <ignore>/var/ossec/queue</ignore> > >> <ignore>/var/ossec/logs</ignore> > >> <ignore>/var/ossec/stats</ignore> > >> <ignore>/var/ossec/var</ignore> > >> <ignore>/home/YYYYYYYY/apache/logs</ignore> > >> > >> </syscheck> > >> > >> > >> The weird thing is, i had it working on others servers. > >> The syscheck didnt even create all the queues: > >> > >> # ls /var/ossec/queue/diff/local/ > >> etc > >> > >> > >> # du -hsc /var/ossec/queue/diff/local/* > >> 608K /var/ossec/queue/diff/local/etc > >> 608K total > >> > >> > >> I've got no idea why the syscheck is kind of jumping the scan, I > >> checked the conf files and it seems ok! > >> Am i missing anything? > >> > >> > >> Regards, > >> > >> > >> Stephan > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
