The alerts can usually be found at /var/ossec/logs/alerts/alerts.log In case you are not doing that already, I recommend you to use alert_new_files option in /var/ossec/etc/ossec.conf (in the manager, in the syscheck section), to be sure you get alerted every time there is a new file.
Also remember that, by default, syschecks are run periodically, so it can take a while to detect file changes. You can change the frequency in the configuration (less than 300 seconds is not recommended). Best On Sun, Mar 6, 2016 at 10:41 AM, Tennisha tennisha <[email protected]> wrote: > I did this and not remoted is running (thank you!!!) but I am still not > getting any alerts for added, modified, removed files in the ossec.log. Am > I looking in the wrong place? > > On Sunday, March 6, 2016 at 1:30:51 PM UTC-5, Santiago Bassett wrote: >> >> Forgot to mention that you need to restart OSSEC (in the manager), once >> you have done that. >> >> On Sun, Mar 6, 2016 at 10:29 AM, Santiago Bassett <[email protected]> >> wrote: >> >>> Most likely you just need to register the first agent, so >>> /var/ossec/etc/client.keys gets created. You can use >>> /var/ossec/bin/manage_agents to register it (use "add an agent" option). >>> >>> I hope it helps >>> >>> On Sun, Mar 6, 2016 at 9:41 AM, Tennisha tennisha <[email protected]> >>> wrote: >>> >>>> I have tried to install ossec on three different vms and am not able to >>>> get it to pick up modifications, additions, deletions of files. I am have >>>> tried running it on security onion 14.04 machine and a non security onion >>>> machine. I followed the instructions here >>>> >>>> https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 >>>> >>>> and on two of the machines I am getting this process XXX not used by ossec >>>> removing, ossec remoted not running error. Please advise >>>> >>>> >>>> martin@martin-VirtualBox:~$ sudo /var/ossec/bin/ossec-control status >>>> [sudo] password for martin: >>>> ossec-monitord is running... >>>> ossec-logcollector is running... >>>> ossec-remoted: Process 1439 not used by ossec, removing .. >>>> ossec-remoted not running... >>>> ossec-syscheckd is running... >>>> ossec-analysisd is running... >>>> ossec-maild not running... >>>> ossec-execd is running... >>>> martin@martin-VirtualBox:~$ gdb /var/ossec/bin/ossec-remoted >>>> GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 >>>> Copyright (C) 2014 Free Software Foundation, Inc. >>>> License GPLv3+: GNU GPL version 3 or later >>>> <http://gnu.org/licenses/gpl.html> >>>> This is free software: you are free to change and redistribute it. >>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >>>> and "show warranty" for details. >>>> This GDB was configured as "x86_64-linux-gnu". >>>> Type "show configuration" for configuration details. >>>> For bug reporting instructions, please see: >>>> <http://www.gnu.org/software/gdb/bugs/>. >>>> Find the GDB manual and other documentation resources online at: >>>> <http://www.gnu.org/software/gdb/documentation/>. >>>> For help, type "help". >>>> Type "apropos word" to search for commands related to "word"... >>>> /var/ossec/bin/ossec-remoted: Permission denied. >>>> (gdb) >>>> (gdb) set follow-fork-mode child >>>> (gdb) run -df >>>> Starting program: -df >>>> No executable file specified. >>>> Use the "file" or "exec-file" command. >>>> (gdb) t >>>> No thread selected >>>> (gdb) bt >>>> No stack. >>>> (gdb) >>>> [1]+ Stopped gdb /var/ossec/bin/ossec-remoted >>>> martin@martin-VirtualBox:~$ sudo gdb /var/ossec/bin/ossec-remoted >>>> GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 >>>> Copyright (C) 2014 Free Software Foundation, Inc. >>>> License GPLv3+: GNU GPL version 3 or later >>>> <http://gnu.org/licenses/gpl.html> >>>> This is free software: you are free to change and redistribute it. >>>> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >>>> and "show warranty" for details. >>>> This GDB was configured as "x86_64-linux-gnu". >>>> Type "show configuration" for configuration details. >>>> For bug reporting instructions, please see: >>>> <http://www.gnu.org/software/gdb/bugs/>. >>>> Find the GDB manual and other documentation resources online at: >>>> <http://www.gnu.org/software/gdb/documentation/>. >>>> For help, type "help". >>>> Type "apropos word" to search for commands related to "word"... >>>> Reading symbols from /var/ossec/bin/ossec-remoted...(no debugging symbols >>>> found)...done. >>>> (gdb) set follow-fork-mode child >>>> (gdb) run -df >>>> Starting program: /var/ossec/bin/ossec-remoted -df >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >>>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Starting ... >>>> 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4504). >>>> [New process 4508] >>>> [Thread debugging using libthread_db enabled] >>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >>>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Forking remoted: '0'. >>>> 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4508). >>>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Running manager_init >>>> [New Thread 0x7ffff6fba700 (LWP 4509)] >>>> [New Thread 0x7ffff67b9700 (LWP 4510)] >>>> 2016/03/06 12:31:24 ossec-remoted: INFO: (unix_domain) Maximum send buffer >>>> set to: '16777216'. >>>> 2016/03/06 12:31:24 ossec-remoted(4111): INFO: Maximum number of agents >>>> allowed: '1024'. >>>> 2016/03/06 12:31:24 ossec-remoted(1410): INFO: Reading authentication keys >>>> file. >>>> 2016/03/06 12:31:24 ossec-remoted(1402): ERROR: Authentication key file >>>> '/etc/client.keys' not found. >>>> 2016/03/06 12:31:24 ossec-remoted(1750): ERROR: No remote connection >>>> configured. Exiting. >>>> [Thread 0x7ffff6fba700 (LWP 4509) exited] >>>> [Thread 0x7ffff7fe1740 (LWP 4508) exited] >>>> [Inferior 2 (process 4508) exited with code 01] >>>> (gdb) >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
