On Thu, Oct 3, 2013 at 9:50 AM, Michiel van Es <[email protected]> wrote: > But it is correct that I add the syscheck and realtime options to the agent > own ossec.conf and NOT on the server right? >
That depends on where you want that setting to be applied. If you want the agent to attempt these detections in real time, then you have to define it on the agent. If you want the server to do realtime detection, you must define it on the server. I will try to make the documentation more clear on this. > > 2013/10/3 dan (ddp) <[email protected]> >> >> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <[email protected]> >> wrote: >> > >> > >> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): >> >> >> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <[email protected]> >> >> wrote: >> >> > Is my ossec.conf on the agents correct? >> >> > tested again today after some days: >> >> > >> >> >> >> As far as I can tell it seems ok. >> >> >> >> > added an entry to /etc/hosts, nothing is detected and alerted >> >> > directly.. >> >> > >> >> >> >> >>What do you mean by "alerted directly?" >> > >> > >> > The realtime=yes should trigger an alert for OSSEC directly when I alter >> > the >> > file right? (I open the file with vim, add a new line with bogus , >> > write+quit) >> > It does nothing after that, only after the first syscheck run that is >> > scheduled to run every X hour/minutes. >> > >> >> It should trigger an alert very quickly, yes. >> I don't really have a way to troubleshoot this. Everytime I test >> realtime it works just fine. >> >> >> >> >> >> >> > >> >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: >> >> >> >> >> >> Hello, I have the following setup : >> >> >> >> >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script >> >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install >> >> >> >> >> >> I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the >> >> >> following >> >> >> on the manager: >> >> >> >> >> >> <syscheck> >> >> >> <!-- Frequency that syscheck is executed - default to every 22 >> >> >> hours >> >> >> in seconds --> >> >> >> <frequency>7200</frequency> >> >> >> >> >> >> <!-- Directories to check (perform all possible verifications) >> >> >> --> >> >> >> <directories realtime="yes" >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >> <directories check_all="yes">/bin,/sbin</directories> >> >> >> >> >> >> <!-- Files/directories to ignore --> >> >> >> <ignore>/etc/mtab</ignore> >> >> >> <ignore>/etc/mnttab</ignore> >> >> >> <ignore>/etc/hosts.deny</ignore> >> >> >> <ignore>/etc/mail/statistics</ignore> >> >> >> <ignore>/etc/random-seed</ignore> >> >> >> <ignore>/etc/adjtime</ignore> >> >> >> <ignore>/etc/httpd/logs</ignore> >> >> >> <ignore>/etc/utmpx</ignore> >> >> >> <ignore>/etc/wtmpx</ignore> >> >> >> <ignore>/etc/cups/certs</ignore> >> >> >> <ignore>/etc/dumpdates</ignore> >> >> >> <ignore>/etc/svc/volatile</ignore> >> >> >> >> >> >> <!-- Windows files to ignore --> >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> >> >> <ignore>C:\WINDOWS/Debug</ignore> >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> >> >> <ignore>C:\WINDOWS/Temp</ignore> >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> >> >> </syscheck> >> >> >> >> >> >> I want realtime monitoring of the /etc/ directories on the agents. >> >> >> I tested the active restarts and link with the agents via the >> >> >> agent_control -lc >> >> >> >> >> >> The agents have the following ossec.conf: >> >> >> >> >> >> <ossec_config> >> >> >> <client> >> >> >> <server-ip>10.10.138.69</server-ip> >> >> >> </client> >> >> >> </ossec_config> >> >> >> >> >> >> Nothing happens when I alter /etc/hosts on 1 of the agents. >> >> >> >> >> >> When I change the /etc/hosts on the manager it is instant (exactly >> >> >> what >> >> >> I >> >> >> want). >> >> >> >> >> >> I changed the ossec.conf on the agents with the following; >> >> >> >> >> >> <ossec_config> >> >> >> <client> >> >> >> <server-ip>10.10.138.69</server-ip> >> >> >> </client> >> >> >> >> >> >> <syscheck> >> >> >> <!-- Frequency that syscheck is executed - default to every 22 >> >> >> hours >> >> >> in seconds --> >> >> >> <frequency>7200</frequency> >> >> >> >> >> >> <!-- Directories to check (perform all possible verifications) >> >> >> --> >> >> >> <directories realtime="yes" >> >> >> check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories> >> >> >> <directories check_all="yes">/bin,/sbin</directories> >> >> >> >> >> >> <!-- Files/directories to ignore --> >> >> >> <ignore>/etc/mtab</ignore> >> >> >> <ignore>/etc/mnttab</ignore> >> >> >> <ignore>/etc/hosts.deny</ignore> >> >> >> <ignore>/etc/mail/statistics</ignore> >> >> >> <ignore>/etc/random-seed</ignore> >> >> >> <ignore>/etc/adjtime</ignore> >> >> >> <ignore>/etc/httpd/logs</ignore> >> >> >> <ignore>/etc/utmpx</ignore> >> >> >> <ignore>/etc/wtmpx</ignore> >> >> >> <ignore>/etc/cups/certs</ignore> >> >> >> <ignore>/etc/dumpdates</ignore> >> >> >> <ignore>/etc/svc/volatile</ignore> >> >> >> >> >> >> <!-- Windows files to ignore --> >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> >> >> <ignore>C:\WINDOWS/Debug</ignore> >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> >> >> <ignore>C:\WINDOWS/Temp</ignore> >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> >> >> </syscheck> >> >> >> >> >> >> </ossec_config> >> >> >> >> >> >> and restarted the ossec service on the agents, let sysstem-check >> >> >> rebuild >> >> >> its database on both agents: >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/usr/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/usr/sbin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: >> >> >> '/sbin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/var/ossec/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/etc'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/usr/bin'. >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real >> >> >> time >> >> >> monitoring: '/usr/sbin'. >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan >> >> >> (forwarding database). >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck >> >> >> database >> >> >> (pre-scan). >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time >> >> >> file >> >> >> monitoring (not started). >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring >> >> >> started. >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating >> >> >> syscheck >> >> >> database (pre-scan completed). >> >> >> 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan >> >> >> (forwarding database) >> >> >> >> >> >> I change the /etc/hosts file again and multiple new lines to make >> >> >> sure >> >> >> it >> >> >> wont match the MD5 sum. >> >> >> Still nothing happening on the agents, no alert triggered (as on the >> >> >> manager it was instant) >> >> >> >> >> >> Am I correct that the realtime configuration should be in the >> >> >> ossec.conf >> >> >> on the agents? >> >> >> I have seen one error on 1 of the servers alerting: >> >> >> >> >> >> Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' >> >> >> File '/etc/hosts' was deleted. Unable to retrieve checksum. >> >> >> >> >> >> >> >> >> How can I recreate the database? >> >> >> >> >> >> Regards and sorry if I ask the obvious questions here. >> >> >> >> >> >> Michiel >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/o2IBo4LjwME/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
