Should we expect to be solved in the forthcoming ossec release?
El viernes, 29 de enero de 2016, 20:17:46 (UTC+1), Daniel Cid escribió: > > Awesome :) > > On Fri, Jan 29, 2016 at 3:06 PM, Luke Hansey <[email protected] > <javascript:>> wrote: > >> Works great now. Thank you for the work on this. No worries about the >> time. It's developmental :) Plus, I have a little firmer grasp on OSSEC >> now. >> >> On Thursday, January 28, 2016 at 4:58:11 PM UTC-8, Daniel Cid wrote: >>> >>> The issue was in my branch there. Mind getting the latest again? Should >>> be working now: >>> >>> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz >>> >>> Sorry for the waste of time :/ >>> >>> thanks, >>> >>> On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey <[email protected]> >>> wrote: >>> >>>> Thanks for the reply, Santiago. >>>> >>>> Here is what I am seeing. On agent: >>>> >>>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory: >>>> '/var/www/vhosts/'. >>>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time >>>> monitoring: '/var/www/vhosts/'. >>>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan >>>> (forwarding database). >>>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database >>>> (pre-scan). >>>> 2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file >>>> monitoring (not started). >>>> 2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck >>>> database (pre-scan completed). >>>> 2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan >>>> (forwarding database). >>>> 2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file >>>> monitoring. >>>> 2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan. >>>> 2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan. >>>> >>>> On my server I'm watching this agent's syscheck queue: >>>> >>>> Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$' >>>> >>>> +++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0 >>>> >>>> !1454017663 /usr/bin/php >>>> >>>> I've created a test.php file in /var/www/vhosts/ >>>> test.com/httpdocs/test.php as well as edited an existing PHP file in >>>> the same directory. >>>> >>>> Nothing changes, so I run from server: >>>> >>>> /var/ossec/bin/agent_control -r -u 001 >>>> >>>> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001 >>>> >>>> Still the queue/syscheck file for this agent does not change. File >>>> size is the same as well. Before this process I also ran: >>>> >>>> /var/ossec/bin/syscheck_control -u 001 and it emptied the file. But >>>> once syscheck ran again, it was exactly the same size as it was before >>>> (334K), which seems small. >>>> >>>> I'm running v2015-12 latest dev that Dan pushed a few days ago. I feel >>>> like I'm missing something obvious... >>>> >>>> On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett >>>> wrote: >>>>> >>>>> Are you sure your config is not working? >>>>> >>>>> I just tested this and it works for me: >>>>> >>>>> <directories check_all="yes" >>>>> restrict=".txt1|.txt2">/root</directories> >>>>> >>>>> I created three test files: >>>>> >>>>> root@vpc-ossec-manager:~# ls test.txt* >>>>> >>>>> test.txt1 test.txt2 test.txt3 >>>>> >>>>> And this is what I get in my syscheck file: >>>>> >>>>> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | >>>>> grep test.txt >>>>> >>>>> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73 >>>>> >>>>> !1453933436 /root/test.txt1 >>>>> >>>>> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 >>>>> >>>>> !1453933436 /root/test.txt2 >>>>> >>>>> There is nothing for test.txt3 >>>>> >>>>> I am using 2.9 version (development branch) >>>>> >>>>> Best >>>>> >>>>> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey < >>>>> [email protected]> wrote: >>>>> >>>>>> If I use: >>>>>> >>>>>> <directories check_all="yes" >>>>>> restrict=".php|.js">/var/www/vhosts/</directories> >>>>>> >>>>>> syscheck logs no changes to any file. >>>>>> >>>>>> If I use: >>>>>> >>>>>> <directories check_all="yes">/var/www/vhosts/</directories> >>>>>> >>>>>> Works fine and logs changes to any file. >>>>>> >>>>>> Am I missing something when using the *restrict *option? >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
