ok so basically you configured the same things as i did in the ossec.conf or in the agent.conf ?
Thank you, On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected] <javascript:>> > wrote: > > actually i decided to try locally because i would like to see in both > cases > > if a user was to modify a specific text file in the ossec server i would > > like to get an alert that would to the very least tell what was changed > and > > what is the new text that was written. which is why i modified the > option in > > ossec.conf > > > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > > <frequency>360</frequency> > > <auto_ignore>no</auto_ignore> > > > > <!-- Directories to check (perform all possible verifications) > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > <directories report_changes="yes" >/input/ossec/</directories> > > however when i launch this script > > bin/ossec-syscheckd > > > > i get the following error: > > > > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided > for > > syscheck to monitor. > > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. > > > > is it to say that syscheck is disabled on agents or on the server ? any > > idea's? > > > > The agents don't do the processing. They collect the hashes and > forward them to the server for analysis and alerting. > The auto_ignore option is only valid on a server (or a local > installation), not an agent. > > And I just tested it. I managed to get alerts after setting the > auto_ignore option, even though there were 3+ previous changes to the > monitored file. > > > Thank you, > > > > > > > > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> wrote: > >> > Hi Dan, > >> > > >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck section and > for > >> > some reason it simply does not trigger. > >> > > >> > Is it possible that once it was triggered three times it goes in a do > >> > not > >> > check list that i have to reset ? > >> > > >> > >> I don't think so, but I'm not positive. You set this on the server (if > >> this is an agent<>server setup), correct? > >> I'll try it out to see what happens. If it is an issue, you may have > >> to reset the syscheck db for that agent and take a new baseline. > >> > >> > if ever i wish to perform the same locally is there a different step > ? > >> > > >> > Thank you, > >> > > >> > > >> > > >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> wrote: > >> >> > Hi , > >> >> > > >> >> > > >> >> > I would like to setup a monitoring for a txt file that is in a > Linux > >> >> > server. > >> >> > I have configured the syscheck and selected Report_Change to yes > >> >> > however > >> >> > after 3 changes it has stopped reporting any change i do to the > file. > >> >> > I > >> >> > would like the monitoring to act like an agentless and alert > whenever > >> >> > a > >> >> > change has been detected and also what exact text has been changed > >> >> > with > >> >> > the > >> >> > information such as the owner and group of the individual that has > >> >> > performed > >> >> > the modification . Is this the correct setting i should setup for > the > >> >> > directory ? > >> >> > > >> >> > <directories report_change="yes" > >> >> > check_all="yes">/input/ossec/</directories> > >> >> > > >> >> > Thank you, > >> >> > > >> >> > >> >> OSSEC stops reporting on files after they have changed 3 times by > >> >> default. Turn off the auto ignore feature if you don't want this. > >> >> > >> >> Reporting the user that has modified a file is trickier. You need to > >> >> monitor the file with some system process, and then ingest those > logs > >> >> to find the change. Maybe auditd on Linux? > >> >> > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
