On Tue, Feb 25, 2014 at 4:14 PM, marco cohen <[email protected]> wrote: > hi dan ! > first of all thenks for your help . i saw you posting answers for questions > of mine few times now so thanks !! > > so you think that its beacuse the option auto_ingnore is on? how i turn it > on in the ossec.conf of the agent? or should it be dont in the ossec.conf of > the server? >
I think that's a possible issue. The setting goes in the OSSEC server's ossec.conf. > thanks a lot, > > juan > > > On Tuesday, 25 February 2014 14:48:30 UTC-3, marco cohen wrote: >> >> hi, >> >> I have one agent on centos and the server on another machine. >> >> something when I change something in the /etc/passwd file. an alert (mail) >> isnt sant. I just add a user to the sistem (where the agent is installed ) >> and i dont get any mail regarding the ingerity change of the files. today I >> didnt get but yesterday i did so i dont unserstand whats going on. few days >> ago i had some configuration issue in which the agent couldnt connect to the >> server but this was resolved. i attached the ossec.conf of the server and >> agent so you can please give me a hand to solve this issue: >> >> ossec.conf agent: >> >> <ossec_config> >> <client> >> <server-ip>10.10.8.128</server-ip> >> <port>1514</port> >> </client> >> >> <alerts> >> <log_alert_level>7</log_alert_level> >> <email_alert_level>8</email_alert_level> >> </alerts> >> >> >> >> >> >> >> >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> <frequency>300</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories realtime="yes" check_all="yes">/etc</directories> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> >> <!-- Windows files to ignore --> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> <ignore>C:\WINDOWS/Debug</ignore> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> <ignore>C:\WINDOWS/Temp</ignore> >> <ignore>C:\WINDOWS/system32/config</ignore> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> </syscheck> >> >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> >> <!-- Files to monitor (localfiles) --> >> >> >> >> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> >> </localfile> >> >> </ossec_config> >> >> >> ossec.conf on the server: >> >> <ossec_config> >> <global> >> <email_notification>yes</email_notification> >> <email_to>[email protected]</email_to> >> <smtp_server>10.10.8.107</smtp_server> >> <email_from>ossecm@UIONAGIOS</email_from> >> </global> >> >> <rules> >> <include>rules_config.xml</include> >> <include>pam_rules.xml</include> >> <include>sshd_rules.xml</include> >> <include>telnetd_rules.xml</include> >> <include>syslog_rules.xml</include> >> <include>arpwatch_rules.xml</include> >> <include>symantec-av_rules.xml</include> >> <include>symantec-ws_rules.xml</include> >> <include>pix_rules.xml</include> >> <include>named_rules.xml</include> >> <include>smbd_rules.xml</include> >> <include>vsftpd_rules.xml</include> >> <include>pure-ftpd_rules.xml</include> >> <include>proftpd_rules.xml</include> >> <include>ms_ftpd_rules.xml</include> >> <include>ftpd_rules.xml</include> >> <include>hordeimp_rules.xml</include> >> <include>roundcube_rules.xml</include> >> <include>wordpress_rules.xml</include> >> <include>cimserver_rules.xml</include> >> <include>vpopmail_rules.xml</include> >> <include>vmpop3d_rules.xml</include> >> <include>courier_rules.xml</include> >> <include>web_rules.xml</include> >> <include>web_appsec_rules.xml</include> >> <include>apache_rules.xml</include> >> <include>nginx_rules.xml</include> >> <include>php_rules.xml</include> >> <include>mysql_rules.xml</include> >> <include>postgresql_rules.xml</include> >> <include>ids_rules.xml</include> >> <include>squid_rules.xml</include> >> <include>firewall_rules.xml</include> >> <include>cisco-ios_rules.xml</include> >> <include>netscreenfw_rules.xml</include> >> <include>sonicwall_rules.xml</include> >> <include>postfix_rules.xml</include> >> <include>sendmail_rules.xml</include> >> <include>imapd_rules.xml</include> >> <include>mailscanner_rules.xml</include> >> <include>dovecot_rules.xml</include> >> <include>ms-exchange_rules.xml</include> >> <include>racoon_rules.xml</include> >> <include>vpn_concentrator_rules.xml</include> >> <include>spamd_rules.xml</include> >> <include>msauth_rules.xml</include> >> <include>mcafee_av_rules.xml</include> >> <include>trend-osce_rules.xml</include> >> <include>ms-se_rules.xml</include> >> <!-- <include>policy_rules.xml</include> --> >> <include>zeus_rules.xml</include> >> <include>solaris_bsm_rules.xml</include> >> <include>vmware_rules.xml</include> >> <include>ms_dhcp_rules.xml</include> >> <include>asterisk_rules.xml</include> >> <include>ossec_rules.xml</include> >> <include>attack_rules.xml</include> >> <include>openbsd_rules.xml</include> >> <include>clam_av_rules.xml</include> >> <include>bro-ids_rules.xml</include> >> <include>dropbear_rules.xml</include> >> <include>local_rules.xml</include> >> </rules> >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> <frequency>300</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc</directories> >> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> >> <!-- Windows files to ignore --> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> <ignore>C:\WINDOWS/Debug</ignore> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> <ignore>C:\WINDOWS/iis6.log</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> <ignore>C:\WINDOWS/Prefetch</ignore> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> <ignore>C:\WINDOWS/Temp</ignore> >> <ignore>C:\WINDOWS/system32/config</ignore> >> <ignore>C:\WINDOWS/system32/spool</ignore> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> </syscheck> >> >> <rootcheck> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> </rootcheck> >> >> <global> >> <white_list>127.0.0.1</white_list> >> <white_list>^localhost.localdomain$</white_list> >> <white_list>10.10.8.70</white_list> >> <white_list>10.10.8.128</white_list> >> </global> >> >> <client> >> >> <server-ip>10.10.8.128</server-ip> >> >> </client> >> >> >> <remote> >> >> <connection>secure</connection> >> >> <allowed-ips>10.10.8.124</allowed-ips> >> >> >> >> >> >> <protocol>udp</protocol> >> >> <port>1514</port> >> >> </remote> >> >> <remote> >> <connection>syslog</connection> >> </remote> >> >> <remote> >> <connection>secure</connection> >> </remote> >> >> <alerts> >> <log_alert_level>7</log_alert_level> >> <email_alert_level>7</email_alert_level> >> </alerts> >> >> <command> >> <name>host-deny</name> >> <executable>host-deny.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>firewall-drop</name> >> <executable>firewall-drop.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>disable-account</name> >> <executable>disable-account.sh</executable> >> <expect>user</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <command> >> <name>restart-ossec</name> >> <executable>restart-ossec.sh</executable> >> <expect></expect> >> </command> >> >> >> <command> >> <name>route-null</name> >> <executable>route-null.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <!-- Files to monitor (localfiles) --> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/maillog</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/httpd/error_log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/httpd/access_log</location> >> </localfile> >> >> <localfile> >> <log_format>command</log_format> >> <command>df -h</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>last -n 5</command> >> </localfile> >> >> >> when I restart ossec service on the agent I see in the event log the >> following: >> >> >> 2014/02/25 12:41:01 ossec-logcollector(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2014/02/25 12:41:01 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2014/02/25 12:41:01 ossec-agentd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2014/02/25 12:41:01 ossec-execd(1350): INFO: Active response disabled. >> Exiting. >> 2014/02/25 12:41:01 ossec-agentd(1410): INFO: Reading authentication keys >> file. >> 2014/02/25 12:41:01 ossec-rootcheck: System audit file not configured. >> 2014/02/25 12:41:01 ossec-agentd: INFO: Assigning counter for agent >> test01: '0:357'. >> 2014/02/25 12:41:01 ossec-agentd: INFO: Assigning sender counter: 1:3333 >> 2014/02/25 12:41:01 ossec-agentd: INFO: Started (pid: 3791). >> 2014/02/25 12:41:01 ossec-agentd: INFO: Server IP Address: 10.10.8.128 >> 2014/02/25 12:41:01 ossec-agentd: INFO: Trying to connect to server >> (10.10.8.128:1514). >> 2014/02/25 12:41:01 ossec-agentd: INFO: Using IPv4 for: 10.10.8.128 . >> 2014/02/25 12:41:05 ossec-syscheckd: INFO: Started (pid: 3798). >> 2014/02/25 12:41:05 ossec-rootcheck: INFO: Started (pid: 3798). >> 2014/02/25 12:41:05 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> 2014/02/25 12:41:05 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/etc'. >> 2014/02/25 12:41:07 ossec-logcollector: INFO: Monitoring full output of >> command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort >> 2014/02/25 12:41:07 ossec-logcollector: INFO: Started (pid: 3795). >> 2014/02/25 12:41:07 ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' >> not accessible: 'Queue not found'. >> 2014/02/25 12:41:22 ossec-agentd: INFO: Unable to connect to the active >> response queue (disabled). >> 2014/02/25 12:41:23 ossec-agentd(4102): INFO: Connected to the server >> (10.10.8.128:1514). >> 2014/02/25 12:42:07 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2014/02/25 12:42:07 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> 2014/02/25 12:42:07 ossec-syscheckd: INFO: Initializing real time file >> monitoring (not started). >> 2014/02/25 12:43:50 ossec-syscheckd: INFO: Real time file monitoring >> started. >> 2014/02/25 12:43:50 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> 2014/02/25 12:44:02 ossec-syscheckd: INFO: Ending syscheck scan >> (forwarding database). >> 2014/02/25 12:44:22 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2014/02/25 12:44:22 ossec-rootcheck: No rootcheck_files file configured. >> 2014/02/25 12:44:22 ossec-rootcheck: No rootcheck_trojans file configured. >> 2014/02/25 12:47:27 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> thanks a lot for your help !! >> >> marco > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
