Hi Dan, well here is what i get when i launch the commdand ossec-syscheckd -df
it still mentions Syscheck disabled..... that is so weird...... [root@LNA-ALA-FIM ossec]# bin/ossec-syscheckd -df 2016/07/22 14:54:13 ossec-syscheckd: DEBUG: Starting ... 2016/07/22 14:54:13 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. 2016/07/22 14:54:13 ossec-syscheckd: WARN: Syscheck disabled. 2016/07/22 14:54:13 ossec-rootcheck: DEBUG: Starting ... 2016/07/22 14:54:13 ossec-rootcheck: Starting queue ... 2016/07/22 14:54:13 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'. 2016/07/22 14:54:17 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '124928'. 2016/07/22 14:54:17 ossec-syscheckd: INFO: Started (pid: 4502). 2016/07/22 14:54:17 ossec-rootcheck: INFO: Started (pid: 4502). On Friday, July 22, 2016 at 2:49:29 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 2:44 PM, EvilZ <[email protected] <javascript:>> > wrote: > > ok not a problem, > > > > just to make sure, when you launch the script ossec-syscheckd does it > inform > > you that it is disabled ? > > > > AGENT: > root@ossec283-agent:~/ossec-hids-2.8.3/src# pkill ossec-syscheckd > root@ossec283-agent:~/ossec-hids-2.8.3/src# ps auxww | grep > ossec-syscheckd > root 21118 0.0 0.0 8860 648 ? S+ 18:48 0:00 grep > --color=auto ossec-syscheckd > root@ossec283-agent:~/ossec-hids-2.8.3/src# /var/ossec/bin/ossec-syscheckd > -df > 2016/07/22 18:48:17 ossec-syscheckd: DEBUG: Starting ... > 2016/07/22 18:48:17 ossec-rootcheck: DEBUG: Starting ... > 2016/07/22 18:48:17 ossec-rootcheck: Starting queue ... > 2016/07/22 18:48:17 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '212992'. > 2016/07/22 18:48:21 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '212992'. > 2016/07/22 18:48:21 ossec-syscheckd: INFO: Started (pid: 21119). > 2016/07/22 18:48:21 ossec-rootcheck: INFO: Started (pid: 21119). > 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: > '/var/test'. > 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: > '/var/ossec/etc'. > > SERVER: > root@ossec283-server:/var/ossec/queue/syscheck# pkill ossec-syscheckd > root@ossec283-server:/var/ossec/queue/syscheck# ps auxww | grep syscheck > root 25897 0.0 0.0 8860 644 ? S+ 18:48 0:00 grep > --color=auto syscheck > root@ossec283-server:/var/ossec/queue/syscheck# > /var/ossec/bin/ossec-syscheckd -df > 2016/07/22 18:48:50 ossec-syscheckd: DEBUG: Starting ... > 2016/07/22 18:48:50 ossec-rootcheck: DEBUG: Starting ... > 2016/07/22 18:48:50 ossec-rootcheck: Starting queue ... > 2016/07/22 18:48:50 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '212992'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '212992'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Started (pid: 25898). > 2016/07/22 18:48:54 ossec-rootcheck: INFO: Started (pid: 25898). > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > > > > thank you, > > > > On Friday, July 22, 2016 at 2:41:03 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected]> wrote: > >> > ok > >> > > >> > so basically you configured the same things as i did in the > ossec.conf > >> > or in > >> > the agent.conf ? > >> > > >> > >> You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in the > >> server's ossec.conf. It does nothing good anywhere else. > >> > >> > Thank you, > >> > > >> > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> wrote: > >> >> > actually i decided to try locally because i would like to see in > both > >> >> > cases > >> >> > if a user was to modify a specific text file in the ossec server i > >> >> > would > >> >> > like to get an alert that would to the very least tell what was > >> >> > changed > >> >> > and > >> >> > what is the new text that was written. which is why i modified the > >> >> > option in > >> >> > ossec.conf > >> >> > > >> >> > <syscheck> > >> >> > <!-- Frequency that syscheck is executed - default to every 22 > >> >> > hours > >> >> > --> > >> >> > <frequency>360</frequency> > >> >> > <auto_ignore>no</auto_ignore> > >> >> > > >> >> > <!-- Directories to check (perform all possible > verifications) > >> >> > <directories > >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> > <directories check_all="yes">/bin,/sbin</directories> > >> >> > <directories report_changes="yes" >/input/ossec/</directories> > >> >> > however when i launch this script > >> >> > bin/ossec-syscheckd > >> >> > > >> >> > i get the following error: > >> >> > > >> >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory > >> >> > provided > >> >> > for > >> >> > syscheck to monitor. > >> >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. > >> >> > > >> >> > is it to say that syscheck is disabled on agents or on the server > ? > >> >> > any > >> >> > idea's? > >> >> > > >> >> > >> >> The agents don't do the processing. They collect the hashes and > >> >> forward them to the server for analysis and alerting. > >> >> The auto_ignore option is only valid on a server (or a local > >> >> installation), not an agent. > >> >> > >> >> And I just tested it. I managed to get alerts after setting the > >> >> auto_ignore option, even though there were 3+ previous changes to > the > >> >> monitored file. > >> >> > >> >> > Thank you, > >> >> > > >> >> > > >> >> > > >> >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> > wrote: > >> >> >> > Hi Dan, > >> >> >> > > >> >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck > section > >> >> >> > and > >> >> >> > for > >> >> >> > some reason it simply does not trigger. > >> >> >> > > >> >> >> > Is it possible that once it was triggered three times it goes > in a > >> >> >> > do > >> >> >> > not > >> >> >> > check list that i have to reset ? > >> >> >> > > >> >> >> > >> >> >> I don't think so, but I'm not positive. You set this on the > server > >> >> >> (if > >> >> >> this is an agent<>server setup), correct? > >> >> >> I'll try it out to see what happens. If it is an issue, you may > have > >> >> >> to reset the syscheck db for that agent and take a new baseline. > >> >> >> > >> >> >> > if ever i wish to perform the same locally is there a different > >> >> >> > step > >> >> >> > ? > >> >> >> > > >> >> >> > Thank you, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) > wrote: > >> >> >> >> > >> >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> > >> >> >> >> wrote: > >> >> >> >> > Hi , > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > I would like to setup a monitoring for a txt file that is in > a > >> >> >> >> > Linux > >> >> >> >> > server. > >> >> >> >> > I have configured the syscheck and selected Report_Change to > >> >> >> >> > yes > >> >> >> >> > however > >> >> >> >> > after 3 changes it has stopped reporting any change i do to > the > >> >> >> >> > file. > >> >> >> >> > I > >> >> >> >> > would like the monitoring to act like an agentless and alert > >> >> >> >> > whenever > >> >> >> >> > a > >> >> >> >> > change has been detected and also what exact text has been > >> >> >> >> > changed > >> >> >> >> > with > >> >> >> >> > the > >> >> >> >> > information such as the owner and group of the individual > that > >> >> >> >> > has > >> >> >> >> > performed > >> >> >> >> > the modification . Is this the correct setting i should > setup > >> >> >> >> > for > >> >> >> >> > the > >> >> >> >> > directory ? > >> >> >> >> > > >> >> >> >> > <directories report_change="yes" > >> >> >> >> > check_all="yes">/input/ossec/</directories> > >> >> >> >> > > >> >> >> >> > Thank you, > >> >> >> >> > > >> >> >> >> > >> >> >> >> OSSEC stops reporting on files after they have changed 3 times > by > >> >> >> >> default. Turn off the auto ignore feature if you don't want > this. > >> >> >> >> > >> >> >> >> Reporting the user that has modified a file is trickier. You > need > >> >> >> >> to > >> >> >> >> monitor the file with some system process, and then ingest > those > >> >> >> >> logs > >> >> >> >> to find the change. Maybe auditd on Linux? > >> >> >> >> > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
