On Tue, Feb 25, 2014 at 12:48 PM, marco cohen <[email protected]> wrote: > hi, > > I have one agent on centos and the server on another machine. > > something when I change something in the /etc/passwd file. an alert (mail) > isnt sant. I just add a user to the sistem (where the agent is installed ) > and i dont get any mail regarding the ingerity change of the files. today I > didnt get but yesterday i did so i dont unserstand whats going on. few days > ago i had some configuration issue in which the agent couldnt connect to the > server but this was resolved. i attached the ossec.conf of the server and > agent so you can please give me a hand to solve this issue: > > ossec.conf agent: > > <ossec_config> > <client> > <server-ip>10.10.8.128</server-ip> > <port>1514</port> > </client> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> >
If the <alerts> section is really in your agent's ossec.conf, you have some issues. It does not belong there. > > > > > > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > It might be silly, but that seems very short. If you really need it that quickly, consider realtime. > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" check_all="yes">/etc</directories> > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > > <active-response> > <disabled>yes</disabled> > </active-response> > > <!-- Files to monitor (localfiles) --> > > > > > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > </ossec_config> > > > ossec.conf on the server: > I don't see anything about the auto ignore option, so I am guessing you did not turn it off. In that case, you will only be alerted 3 times of changes to the agent's passwd file. After that it will be ignored as a "frequently changing file." > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>10.10.8.107</smtp_server> > <email_from>ossecm@UIONAGIOS</email_from> > </global> > > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <include>pure-ftpd_rules.xml</include> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>cimserver_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>web_appsec_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <include>ms-se_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>openbsd_rules.xml</include> > <include>clam_av_rules.xml</include> > <include>bro-ids_rules.xml</include> > <include>dropbear_rules.xml</include> > <include>local_rules.xml</include> > </rules> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc</directories> > > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>10.10.8.70</white_list> > <white_list>10.10.8.128</white_list> > </global> > > <client> > > <server-ip>10.10.8.128</server-ip> > > </client> > > > <remote> > > <connection>secure</connection> > > <allowed-ips>10.10.8.124</allowed-ips> > > > > > > <protocol>udp</protocol> > > <port>1514</port> > > </remote> > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>7</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/error_log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/access_log</location> > </localfile> > > <localfile> > <log_format>command</log_format> > <command>df -h</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > </localfile> > > > when I restart ossec service on the agent I see in the event log the > following: > > > 2014/02/25 12:41:01 ossec-logcollector(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2014/02/25 12:41:01 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2014/02/25 12:41:01 ossec-agentd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2014/02/25 12:41:01 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2014/02/25 12:41:01 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2014/02/25 12:41:01 ossec-rootcheck: System audit file not configured. > 2014/02/25 12:41:01 ossec-agentd: INFO: Assigning counter for agent test01: > '0:357'. > 2014/02/25 12:41:01 ossec-agentd: INFO: Assigning sender counter: 1:3333 > 2014/02/25 12:41:01 ossec-agentd: INFO: Started (pid: 3791). > 2014/02/25 12:41:01 ossec-agentd: INFO: Server IP Address: 10.10.8.128 > 2014/02/25 12:41:01 ossec-agentd: INFO: Trying to connect to server > (10.10.8.128:1514). > 2014/02/25 12:41:01 ossec-agentd: INFO: Using IPv4 for: 10.10.8.128 . > 2014/02/25 12:41:05 ossec-syscheckd: INFO: Started (pid: 3798). > 2014/02/25 12:41:05 ossec-rootcheck: INFO: Started (pid: 3798). > 2014/02/25 12:41:05 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2014/02/25 12:41:05 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2014/02/25 12:41:07 ossec-logcollector: INFO: Monitoring full output of > command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > 2014/02/25 12:41:07 ossec-logcollector: INFO: Started (pid: 3795). > 2014/02/25 12:41:07 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' > not accessible: 'Queue not found'. > 2014/02/25 12:41:22 ossec-agentd: INFO: Unable to connect to the active > response queue (disabled). > 2014/02/25 12:41:23 ossec-agentd(4102): INFO: Connected to the server > (10.10.8.128:1514). > 2014/02/25 12:42:07 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2014/02/25 12:42:07 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2014/02/25 12:42:07 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2014/02/25 12:43:50 ossec-syscheckd: INFO: Real time file monitoring > started. > 2014/02/25 12:43:50 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2014/02/25 12:44:02 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2014/02/25 12:44:22 ossec-rootcheck: INFO: Starting rootcheck scan. > 2014/02/25 12:44:22 ossec-rootcheck: No rootcheck_files file configured. > 2014/02/25 12:44:22 ossec-rootcheck: No rootcheck_trojans file configured. > 2014/02/25 12:47:27 ossec-rootcheck: INFO: Ending rootcheck scan. > > > thanks a lot for your help !! > > marco > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
