On Mon, Sep 21, 2015 at 10:30 AM, James DeLeon <[email protected]> wrote: > Hello, > > > I have a single OSSEC Server and a single agent set up currently. I receive > e-mail alerts when the agent is reset, and I see things like the following > in alerts.log on the server: > > > ** Alert 1442843895.5680: - pam,syslog,authentication_success, > > 2015 Sep 21 08:58:15 (ossec-agent) x.x.x.x->/var/log/messages > > Rule: 5501 (level 3) -> 'Login session opened.' > > Sep 21 08:58:14 ossec-agent sudo: pam_unix(sudo:session): session opened for > user root by james > > > However, when I edit a file (in the /etc/ directory), I do not receive > anything in alerts.log or an e-mail stating as such. Here is the relevant > portion from the ossec.conf on the agent: > > > <!-- Directories to check (perform all possible verifications) --> > > <directories report_changes="yes" realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories report_changes="yes" realtime="yes" > check_all="yes">/bin,/sbin</directories> > > > And from the server (I’m not sure if having this on both is necessary, or is > what’s causing the issue, but they both state this in the sys check section) > > > <!-- Directories to check (perform all possible verifications) --> > > <directories report_changes="yes" realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories report_changes="yes" realtime="yes" > check_all="yes">/bin,/sbin</directories> > > > > Everything else is default from installation. > > > Any help would be greatly appreciated, as I plan to deploy this out to > production as soon as I can get this working (as everything else is working > wonderfully.) >
Has it ever worked? Is syscheckd running on the agent? Is the file in the syscheck db on the manager (/var/ossec/queue/syscheck)? If so, are the checksums up to date? Is there an alert in the alerts.log? > > Thanks so much, > > > James > > (Side note, I tried e-mailing [email protected] as recommended on > the OSSEC website, but I got a failed delivery message. Apologies if this > shows up multiple times.) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
