While looking around for more clues, noticed that the iptable rule to allow outgoing UDP 1514 was not set on this box. Added that rule and ran the syscheck again.
This time, received the alert on the new file added as well as it's integrity alert. Is this rule needed only for OSSEC agent to send certain data to Server? Because, if this rule was the issue, there shouldn't have been any communication between agent - server in the first place? correct? On Friday, June 6, 2014 2:49:32 PM UTC-4, Abhi wrote: > > Hi Dan, > > > After enabling "logall" option on the manager, Checked the latest modified > files for today in syscheck database and there's no listing of the files I > added. > Also checked the archives and searched for that file name.. no entry.. > > syscheck time is set to 4 hours and I checked for files only after it has > completed syscheck and forwarded the database to manager. > > > > > On Friday, June 6, 2014 11:52:48 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jun 6, 2014 at 11:49 AM, Abhi <[email protected]> wrote: >> > Thank's Dan for responding. >> > >> > Yes, they all are reporting to the same manager. >> > >> > I tested by adding new files. At the same time, I reduced the syscheck >> time >> > down to couple of minutes but no new alerts for that file. Although, >> when I >> > deleted the file and ran syscheck again, ossec log did mention that >> file >> > cannot be located. ossec-syscheckd: Error accessing 'File Name'. >> > >> >> I feel like reducing the syscheck frequency too low causes issues. >> Also, make sure the scan finishes. >> You can also turn on the log all option. I think syscheck events are >> recorded in the archives.log. You can also manually check the syscheck >> database (/var/ossec/queue/syscheck/something) for that agent to see >> if the file is picked up. Check it before and after. >> >> > >> > Syscheck did perform a scan as I had restarted OSSEC agent after adding >> the >> > file. I will try issuing a syscheck on agent from manager to see if >> that >> > picks up new files. >> > >> > Also verified, inotify package is installed. >> > >> > Thank you, >> > >> > Abhi >> > >> > >> > >> > >> > On Friday, June 6, 2014 10:47:37 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Jun 6, 2014 at 10:28 AM, Abhi <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > I am having some trouble in making the OSSEC's new file alerting to >> work >> >> > on >> >> > a particular linux machine. We have several other systems where it's >> >> > working >> >> > perfectly fine. The local configuration used on all these is >> identical. >> >> > >> >> >> >> Are all of these systems (working and not working) reporting to the >> >> same manager? >> >> >> >> > Is there any way I can test this manually on the machine? >> >> >> >> Add new files? >> >> >> >> > The <alert_new_files> tag has been enabled only on the OSSEC >> server's >> >> > conf >> >> > file. Does it need to be added on all the local agents as well? >> >> > The agents which are correctly reporting newly added files do not >> have >> >> > this >> >> > tag. >> >> > >> >> >> >> No, it should be manager only. >> >> >> >> Are you sure syscheck has performed a scan since the new file was >> >> added? I'm not sure, but I don't think the new file alert works with >> >> realtime alerts, only with actual scans. >> >> >> >> > Please advise. >> >> > >> >> > Thanks, >> >> > >> >> > Abhi >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
