On Wed, Feb 19, 2014 at 10:27 AM, frwa onto <[email protected]> wrote: > Dear Dan, > Under both the config files how should I decide if realtime > option with syscheck is on ? Please advice which is better? >
Look for the realtime option in the <directories> statements: http://ossec.net/doc/syntax/head_ossec_config.syscheck.html > Regards, > Frwa. > > On Tuesday, February 18, 2014 12:10:42 AM UTC+8, dan (ddpbsd) wrote: >> >> On Mon, Feb 17, 2014 at 11:04 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > I had 2 machines with yum update run around the same time. >> > Both the mysqls got updated. The one machine below are some of the >> > alerts. >> > Below for machine 1 the alerts got immediately into my email when the >> > update >> > happen. But there were some later around 2014 Feb 14 18:31:02. Further >> > down >> > I have added the machine 2 email alerts why I dont receive immediate >> > alerts >> > as machine 1 all the alerts are like next morning. >> > >> >> Are you using the realtime option with syscheck? If not, when did the >> syscheck complete a run? If it happened about the time the alerts were >> generated, you have your answer. >> >> > MACHINE 1 >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:37 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:37 localhost yum[19925]: Updated: >> > nss-sysinit-3.15.3-6.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:37 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:37 localhost yum[19925]: Updated: nss-3.15.3-6.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:39 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:38 localhost yum[19925]: Updated: >> > mysql-libs-5.1.73-3.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:39 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:39 localhost yum[19925]: Updated: >> > mysql-5.1.73-3.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:43 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:41 localhost yum[19925]: Updated: >> > kernel-firmware-2.6.32-431.5.1.el6.noarch >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:49 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2932 fired (level 7) -> "New Yum package installed." >> > Portion of the log(s): >> > >> > Feb 14 12:26:48 localhost yum[19925]: Installed: >> > kernel-2.6.32-431.5.1.el6.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:49 >> > >> > Received From: localhost->/var/log/secure >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> > >> > Feb 14 12:26:48 localhost useradd[20076]: failed adding user 'mysql', >> > data >> > deleted >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:51 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:50 localhost yum[19925]: Updated: >> > mysql-server-5.1.73-3.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:51 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:51 localhost yum[19925]: Updated: >> > nss-tools-3.15.3-6.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:51 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:51 localhost yum[19925]: Updated: >> > wget-1.12-1.11.el6_5.x86_64 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 12:26:53 >> > >> > Received From: localhost->/var/log/messages >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> > Portion of the log(s): >> > >> > Feb 14 12:26:52 localhost yum[19925]: Updated: >> > kernel-headers-2.6.32-431.5.1.el6.x86_64 >> > >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 18:31:02 >> > >> > Received From: localhost->syscheck >> > Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd >> > time)." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/usr/libexec/mysqld' >> > Size changed from '7587056' to '7589360' >> > Old md5sum was: '34090928febd2bd008e10b2b289163a3' >> > New md5sum is : '9a9e9695ed83be1705ccf2b9d80aee3f' >> > Old sha1sum was: 'edc449d18156169597e1f9c32981491c62c12d1f' >> > New sha1sum is : '49c9b2d0c6f64c3e8725ff874dcead55fae7570c' >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 14 18:31:03 >> > >> > Received From: localhost->syscheck >> > Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd >> > time)." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/usr/libexec/mysqlmanager' >> > Size changed from '1568952' to '1569016' >> > Old md5sum was: '5f59e7dbc854b10cab8aa37b0ba0304f' >> > New md5sum is : '01ab01d908c175046a0235f586d88cd8' >> > Old sha1sum was: '6022e2316d5c39aeaaa417417803eb7caf05cb90' >> > New sha1sum is : 'd3ea987ca6e153d1c0e373817f570592b1c41b5e' >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > MACHINE 2. >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 15 03:51:54 >> > >> > Received From: envotechpro->syscheck >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rc.d/rc0.d/K36mysqld' >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 15 03:51:30 >> > >> > Received From: envotechpro->syscheck >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rc.d/rc5.d/S64mysqld' >> > Old md5sum was: 'dbafcc483699bf9755855793ab29395a' >> > New md5sum is : 'c809b007467029392ff7362b3535c5f4' >> > Old sha1sum was: '115caa694ec142e9ba64aac43f86dd0ef1f70162' >> > New sha1sum is : '475ef4bad5c5b1ba732c329f2ba79b0e36b06254' >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 15 03:52:18 >> > >> > Received From: envotechpro->syscheck >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rc.d/rc2.d/S64mysqld' >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 15 03:52:38 >> > >> > Received From: envotechpro->syscheck >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rc.d/rc1.d/K36mysqld' >> > >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 15 03:54:10 >> > >> > Received From: envotechpro->syscheck >> > Rule: 550 fired (level 7) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rc.d/init.d/mysqld' >> > Size changed from '6752' to '7026' >> > >> > >> > Regards, >> > Frwa. >> > >> > >> > >> > On Friday, February 14, 2014 6:51:41 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Feb 14, 2014 5:47 AM, "frwa onto" <[email protected]> wrote: >> >> > >> >> > Dear Dan, >> >> > I wish I can further explore but looking at the message >> >> > is >> >> > garble nothing I can understand how to research further. I got >> >> > another >> >> > message as below. I dont get this well "localhost useradd[20076]: >> >> > failed >> >> > adding user 'mysql', data deleted"? Is this another false positive ? >> >> > >> >> >> >> The original message was a keep alive, internal to ossec. Every once in >> >> a >> >> while they slip through. >> >> No idea about the usrradd message, that looks like something you would >> >> need to investigate. Was the mysql package being installed by a >> >> legitimate >> >> admin? If yes, then the message probably isn't too important. If not, >> >> why >> >> was it being installed? >> >> It seems like a fairly straight forward investigation at this point. >> >> >> >> > OSSEC HIDS Notification. >> >> > 2014 Feb 14 12:26:49 >> >> > >> >> > Received From: localhost->/var/log/messages >> >> > Rule: 2932 fired (level 7) -> "New Yum package installed." >> >> > Portion of the log(s): >> >> > >> >> > Feb 14 12:26:48 localhost yum[19925]: Installed: >> >> > kernel-2.6.32-431.5.1.el6.x86_64 >> >> > >> >> > >> >> > >> >> > --END OF NOTIFICATION >> >> > >> >> > >> >> > >> >> > OSSEC HIDS Notification. >> >> > 2014 Feb 14 12:26:49 >> >> > >> >> > Received From: localhost->/var/log/secure >> >> > >> >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> >> > system." >> >> > Portion of the log(s): >> >> > >> >> > Feb 14 12:26:48 localhost useradd[20076]: failed adding user 'mysql', >> >> > data deleted >> >> > >> >> > >> >> > >> >> > --END OF NOTIFICATION >> >> > >> >> > >> >> > >> >> > OSSEC HIDS Notification. >> >> > 2014 Feb 14 12:26:51 >> >> > >> >> > Received From: localhost->/var/log/messages >> >> > Rule: 2933 fired (level 7) -> "Yum package updated." >> >> > Portion of the log(s): >> >> > >> >> > Feb 14 12:26:50 localhost yum[19925]: Updated: >> >> > mysql-server-5.1.73-3.el6_5.x86_64 >> >> > >> >> > >> >> > >> >> > --END OF NOTIFICATION >> >> > >> >> > >> >> > Regards, >> >> > Frwa. >> >> > >> >> > On Friday, February 14, 2014 12:20:36 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> On Feb 13, 2014 11:19 PM, "frwa onto" <[email protected]> wrote: >> >> >> > >> >> >> > Hi All, >> >> >> > I received this . How debug on this ? >> >> >> > >> >> >> > OSSEC HIDS Notification. >> >> >> > 2014 Feb 12 03:50:01 >> >> >> > >> >> >> > Received From: localhost->ossec-keepalive >> >> >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> >> >> > system." >> >> >> > Portion of the log(s): >> >> >> > >> >> >> > --MARK--: >> >> >> > >> >> >> > ZO.YkF9zgXH6)n0F!tM.n,(F/?U0m4[@0=(!wdd*1'?,Uh^#B9r,odBmc+v3bpI1U8Gz#=Y+yfzAnXg,Ax;,^7jzeE,fb)odVc&^[Im6,MbjdVT*B'%k0==49_9spF9sIUQ&K2QGi?.ZVQLE >> >> >> > >> >> >> >> >> >> It's a false positive, and a thorn in our sidea. Ignore it. Do a >> >> >> search >> >> >> if you need more info. >> >> >> >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send an email to [email protected]. >> >> >> >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
