Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz manager install via script
2 agents - OSSEC 2.7 64 bit Atomic repo install
I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the following
on the manager:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours in
seconds -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
I want realtime monitoring of the /etc/ directories on the agents.
I tested the active restarts and link with the agents via the agent_control
-lc
The agents have the following ossec.conf:
<ossec_config>
<client>
<server-ip>10.10.138.69</server-ip>
</client>
</ossec_config>
Nothing happens when I alter /etc/hosts on 1 of the agents.
When I change the /etc/hosts on the manager it is instant (exactly what I
want).
I changed the ossec.conf on the agents with the following;
<ossec_config>
<client>
<server-ip>10.10.138.69</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours in
seconds -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes"
check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
</ossec_config>
and restarted the ossec service on the agents, let sysstem-check rebuild
its database on both agents:
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/var/ossec/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/usr/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/usr/sbin'.
2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring
started.
2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database)
I change the /etc/hosts file again and multiple new lines to make sure it
wont match the MD5 sum.
Still nothing happening on the agents, no alert triggered (as on the
manager it was instant)
Am I correct that the realtime configuration should be in the ossec.conf on
the agents?
I have seen one error on 1 of the servers alerting:
Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.'
File '/etc/hosts' was deleted. Unable to retrieve checksum.
How can I recreate the database?
Regards and sorry if I ask the obvious questions here.
Michiel
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
