actually i decided to try locally because i would like to see in both cases
if a user was to modify a specific text file in the ossec server i would
like to get an alert that would to the very least tell what was changed and
what is the new text that was written. which is why i modified the option
in ossec.conf
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>360</frequency>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications)
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories report_changes="yes" >/input/ossec/</directories>
however when i launch this script
bin/ossec-syscheckd
i get the following error:
2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided for
syscheck to monitor.
2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled.
is it to say that syscheck is disabled on agents or on the server ? any
idea's?
Thank you,
On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected] <javascript:>>
> wrote:
> > Hi Dan,
> >
> > I plated the<auto_ignore>no<auto_ignore> in the syscheck section and for
> > some reason it simply does not trigger.
> >
> > Is it possible that once it was triggered three times it goes in a do
> not
> > check list that i have to reset ?
> >
>
> I don't think so, but I'm not positive. You set this on the server (if
> this is an agent<>server setup), correct?
> I'll try it out to see what happens. If it is an issue, you may have
> to reset the syscheck db for that agent and take a new baseline.
>
> > if ever i wish to perform the same locally is there a different step ?
> >
> > Thank you,
> >
> >
> >
> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote:
> >>
> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> wrote:
> >> > Hi ,
> >> >
> >> >
> >> > I would like to setup a monitoring for a txt file that is in a Linux
> >> > server.
> >> > I have configured the syscheck and selected Report_Change to yes
> however
> >> > after 3 changes it has stopped reporting any change i do to the file.
> I
> >> > would like the monitoring to act like an agentless and alert whenever
> a
> >> > change has been detected and also what exact text has been changed
> with
> >> > the
> >> > information such as the owner and group of the individual that has
> >> > performed
> >> > the modification . Is this the correct setting i should setup for the
> >> > directory ?
> >> >
> >> > <directories report_change="yes"
> >> > check_all="yes">/input/ossec/</directories>
> >> >
> >> > Thank you,
> >> >
> >>
> >> OSSEC stops reporting on files after they have changed 3 times by
> >> default. Turn off the auto ignore feature if you don't want this.
> >>
> >> Reporting the user that has modified a file is trickier. You need to
> >> monitor the file with some system process, and then ingest those logs
> >> to find the change. Maybe auditd on Linux?
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
