ok not a problem, just to make sure, when you launch the script ossec-syscheckd does it inform you that it is disabled ?
thank you, On Friday, July 22, 2016 at 2:41:03 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected] <javascript:>> > wrote: > > ok > > > > so basically you configured the same things as i did in the ossec.conf > or in > > the agent.conf ? > > > > You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in the > server's ossec.conf. It does nothing good anywhere else. > > > Thank you, > > > > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> wrote: > >> > actually i decided to try locally because i would like to see in both > >> > cases > >> > if a user was to modify a specific text file in the ossec server i > would > >> > like to get an alert that would to the very least tell what was > changed > >> > and > >> > what is the new text that was written. which is why i modified the > >> > option in > >> > ossec.conf > >> > > >> > <syscheck> > >> > <!-- Frequency that syscheck is executed - default to every 22 > hours > >> > --> > >> > <frequency>360</frequency> > >> > <auto_ignore>no</auto_ignore> > >> > > >> > <!-- Directories to check (perform all possible verifications) > >> > <directories > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> > <directories check_all="yes">/bin,/sbin</directories> > >> > <directories report_changes="yes" >/input/ossec/</directories> > >> > however when i launch this script > >> > bin/ossec-syscheckd > >> > > >> > i get the following error: > >> > > >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory > provided > >> > for > >> > syscheck to monitor. > >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. > >> > > >> > is it to say that syscheck is disabled on agents or on the server ? > any > >> > idea's? > >> > > >> > >> The agents don't do the processing. They collect the hashes and > >> forward them to the server for analysis and alerting. > >> The auto_ignore option is only valid on a server (or a local > >> installation), not an agent. > >> > >> And I just tested it. I managed to get alerts after setting the > >> auto_ignore option, even though there were 3+ previous changes to the > >> monitored file. > >> > >> > Thank you, > >> > > >> > > >> > > >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> wrote: > >> >> > Hi Dan, > >> >> > > >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck section > and > >> >> > for > >> >> > some reason it simply does not trigger. > >> >> > > >> >> > Is it possible that once it was triggered three times it goes in a > do > >> >> > not > >> >> > check list that i have to reset ? > >> >> > > >> >> > >> >> I don't think so, but I'm not positive. You set this on the server > (if > >> >> this is an agent<>server setup), correct? > >> >> I'll try it out to see what happens. If it is an issue, you may have > >> >> to reset the syscheck db for that agent and take a new baseline. > >> >> > >> >> > if ever i wish to perform the same locally is there a different > step > >> >> > ? > >> >> > > >> >> > Thank you, > >> >> > > >> >> > > >> >> > > >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> > wrote: > >> >> >> > Hi , > >> >> >> > > >> >> >> > > >> >> >> > I would like to setup a monitoring for a txt file that is in a > >> >> >> > Linux > >> >> >> > server. > >> >> >> > I have configured the syscheck and selected Report_Change to > yes > >> >> >> > however > >> >> >> > after 3 changes it has stopped reporting any change i do to the > >> >> >> > file. > >> >> >> > I > >> >> >> > would like the monitoring to act like an agentless and alert > >> >> >> > whenever > >> >> >> > a > >> >> >> > change has been detected and also what exact text has been > changed > >> >> >> > with > >> >> >> > the > >> >> >> > information such as the owner and group of the individual that > has > >> >> >> > performed > >> >> >> > the modification . Is this the correct setting i should setup > for > >> >> >> > the > >> >> >> > directory ? > >> >> >> > > >> >> >> > <directories report_change="yes" > >> >> >> > check_all="yes">/input/ossec/</directories> > >> >> >> > > >> >> >> > Thank you, > >> >> >> > > >> >> >> > >> >> >> OSSEC stops reporting on files after they have changed 3 times by > >> >> >> default. Turn off the auto ignore feature if you don't want this. > >> >> >> > >> >> >> Reporting the user that has modified a file is trickier. You need > to > >> >> >> monitor the file with some system process, and then ingest those > >> >> >> logs > >> >> >> to find the change. Maybe auditd on Linux? > >> >> >> > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
