On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected]> wrote: > ok > > so basically you configured the same things as i did in the ossec.conf or in > the agent.conf ? >
You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in the server's ossec.conf. It does nothing good anywhere else. > Thank you, > > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> wrote: >> > actually i decided to try locally because i would like to see in both >> > cases >> > if a user was to modify a specific text file in the ossec server i would >> > like to get an alert that would to the very least tell what was changed >> > and >> > what is the new text that was written. which is why i modified the >> > option in >> > ossec.conf >> > >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> > --> >> > <frequency>360</frequency> >> > <auto_ignore>no</auto_ignore> >> > >> > <!-- Directories to check (perform all possible verifications) >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories check_all="yes">/bin,/sbin</directories> >> > <directories report_changes="yes" >/input/ossec/</directories> >> > however when i launch this script >> > bin/ossec-syscheckd >> > >> > i get the following error: >> > >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory provided >> > for >> > syscheck to monitor. >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. >> > >> > is it to say that syscheck is disabled on agents or on the server ? any >> > idea's? >> > >> >> The agents don't do the processing. They collect the hashes and >> forward them to the server for analysis and alerting. >> The auto_ignore option is only valid on a server (or a local >> installation), not an agent. >> >> And I just tested it. I managed to get alerts after setting the >> auto_ignore option, even though there were 3+ previous changes to the >> monitored file. >> >> > Thank you, >> > >> > >> > >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> wrote: >> >> > Hi Dan, >> >> > >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck section and >> >> > for >> >> > some reason it simply does not trigger. >> >> > >> >> > Is it possible that once it was triggered three times it goes in a do >> >> > not >> >> > check list that i have to reset ? >> >> > >> >> >> >> I don't think so, but I'm not positive. You set this on the server (if >> >> this is an agent<>server setup), correct? >> >> I'll try it out to see what happens. If it is an issue, you may have >> >> to reset the syscheck db for that agent and take a new baseline. >> >> >> >> > if ever i wish to perform the same locally is there a different step >> >> > ? >> >> > >> >> > Thank you, >> >> > >> >> > >> >> > >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> wrote: >> >> >> > Hi , >> >> >> > >> >> >> > >> >> >> > I would like to setup a monitoring for a txt file that is in a >> >> >> > Linux >> >> >> > server. >> >> >> > I have configured the syscheck and selected Report_Change to yes >> >> >> > however >> >> >> > after 3 changes it has stopped reporting any change i do to the >> >> >> > file. >> >> >> > I >> >> >> > would like the monitoring to act like an agentless and alert >> >> >> > whenever >> >> >> > a >> >> >> > change has been detected and also what exact text has been changed >> >> >> > with >> >> >> > the >> >> >> > information such as the owner and group of the individual that has >> >> >> > performed >> >> >> > the modification . Is this the correct setting i should setup for >> >> >> > the >> >> >> > directory ? >> >> >> > >> >> >> > <directories report_change="yes" >> >> >> > check_all="yes">/input/ossec/</directories> >> >> >> > >> >> >> > Thank you, >> >> >> > >> >> >> >> >> >> OSSEC stops reporting on files after they have changed 3 times by >> >> >> default. Turn off the auto ignore feature if you don't want this. >> >> >> >> >> >> Reporting the user that has modified a file is trickier. You need to >> >> >> monitor the file with some system process, and then ingest those >> >> >> logs >> >> >> to find the change. Maybe auditd on Linux? >> >> >> >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
