Works great now. Thank you for the work on this. No worries about the time. It's developmental :) Plus, I have a little firmer grasp on OSSEC now.
On Thursday, January 28, 2016 at 4:58:11 PM UTC-8, Daniel Cid wrote: > > The issue was in my branch there. Mind getting the latest again? Should be > working now: > > https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz > > Sorry for the waste of time :/ > > thanks, > > On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey <[email protected] > <javascript:>> wrote: > >> Thanks for the reply, Santiago. >> >> Here is what I am seeing. On agent: >> >> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory: >> '/var/www/vhosts/'. >> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/var/www/vhosts/'. >> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> 2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file >> monitoring (not started). >> 2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> 2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan >> (forwarding database). >> 2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file >> monitoring. >> 2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> On my server I'm watching this agent's syscheck queue: >> >> Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$' >> >> +++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0 >> >> !1454017663 /usr/bin/php >> >> I've created a test.php file in /var/www/vhosts/ >> test.com/httpdocs/test.php as well as edited an existing PHP file in the >> same directory. >> >> Nothing changes, so I run from server: >> >> /var/ossec/bin/agent_control -r -u 001 >> >> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001 >> >> Still the queue/syscheck file for this agent does not change. File size >> is the same as well. Before this process I also ran: >> >> /var/ossec/bin/syscheck_control -u 001 and it emptied the file. But once >> syscheck ran again, it was exactly the same size as it was before (334K), >> which seems small. >> >> I'm running v2015-12 latest dev that Dan pushed a few days ago. I feel >> like I'm missing something obvious... >> >> On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett >> wrote: >>> >>> Are you sure your config is not working? >>> >>> I just tested this and it works for me: >>> >>> <directories check_all="yes" >>> restrict=".txt1|.txt2">/root</directories> >>> >>> I created three test files: >>> >>> root@vpc-ossec-manager:~# ls test.txt* >>> >>> test.txt1 test.txt2 test.txt3 >>> >>> And this is what I get in my syscheck file: >>> >>> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep >>> test.txt >>> >>> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73 >>> >>> !1453933436 /root/test.txt1 >>> >>> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 >>> >>> !1453933436 /root/test.txt2 >>> >>> There is nothing for test.txt3 >>> >>> I am using 2.9 version (development branch) >>> >>> Best >>> >>> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey <[email protected]> >>> wrote: >>> >>>> If I use: >>>> >>>> <directories check_all="yes" >>>> restrict=".php|.js">/var/www/vhosts/</directories> >>>> >>>> syscheck logs no changes to any file. >>>> >>>> If I use: >>>> >>>> <directories check_all="yes">/var/www/vhosts/</directories> >>>> >>>> Works fine and logs changes to any file. >>>> >>>> Am I missing something when using the *restrict *option? >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
