Hi Dan, well i solved the issue by reinstalling Ossec (its a test environment) anyway so the syscheck is now functional however i have basically have one last question and its about the actual information that is pulled from alerts.log. My goal is to have a text file that will have a list who will be updated every now and then and I would like for the monitoring to tell me what is the next text that has been added. So far all i see is Checksum however not the text....
any clues ? On Monday, July 25, 2016 at 8:01:49 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 2:59 PM, EvilZ <[email protected] <javascript:>> > wrote: > > Hi Dan, > > > > well here is what i get when i launch the commdand ossec-syscheckd -df > > > > it still mentions Syscheck disabled..... > > that is so weird...... > > > > What is your <syscheck> configuration on that system? > > > [root@LNA-ALA-FIM ossec]# bin/ossec-syscheckd -df > > 2016/07/22 14:54:13 ossec-syscheckd: DEBUG: Starting ... > > 2016/07/22 14:54:13 ossec-syscheckd(1702): INFO: No directory provided > for > > syscheck to monitor. > > 2016/07/22 14:54:13 ossec-syscheckd: WARN: Syscheck disabled. > > 2016/07/22 14:54:13 ossec-rootcheck: DEBUG: Starting ... > > 2016/07/22 14:54:13 ossec-rootcheck: Starting queue ... > > 2016/07/22 14:54:13 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer > > set to: '124928'. > > 2016/07/22 14:54:17 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer > > set to: '124928'. > > 2016/07/22 14:54:17 ossec-syscheckd: INFO: Started (pid: 4502). > > 2016/07/22 14:54:17 ossec-rootcheck: INFO: Started (pid: 4502). > > > > > > On Friday, July 22, 2016 at 2:49:29 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jul 22, 2016 at 2:44 PM, EvilZ <[email protected]> wrote: > >> > ok not a problem, > >> > > >> > just to make sure, when you launch the script ossec-syscheckd does it > >> > inform > >> > you that it is disabled ? > >> > > >> > >> AGENT: > >> root@ossec283-agent:~/ossec-hids-2.8.3/src# pkill ossec-syscheckd > >> root@ossec283-agent:~/ossec-hids-2.8.3/src# ps auxww | grep > >> ossec-syscheckd > >> root 21118 0.0 0.0 8860 648 ? S+ 18:48 0:00 grep > >> --color=auto ossec-syscheckd > >> root@ossec283-agent:~/ossec-hids-2.8.3/src# > /var/ossec/bin/ossec-syscheckd > >> -df > >> 2016/07/22 18:48:17 ossec-syscheckd: DEBUG: Starting ... > >> 2016/07/22 18:48:17 ossec-rootcheck: DEBUG: Starting ... > >> 2016/07/22 18:48:17 ossec-rootcheck: Starting queue ... > >> 2016/07/22 18:48:17 ossec-syscheckd: INFO: (unix_domain) Maximum send > >> buffer set to: '212992'. > >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: (unix_domain) Maximum send > >> buffer set to: '212992'. > >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Started (pid: 21119). > >> 2016/07/22 18:48:21 ossec-rootcheck: INFO: Started (pid: 21119). > >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: > >> '/var/test'. > >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: > >> '/var/ossec/etc'. > >> > >> SERVER: > >> root@ossec283-server:/var/ossec/queue/syscheck# pkill ossec-syscheckd > >> root@ossec283-server:/var/ossec/queue/syscheck# ps auxww | grep > syscheck > >> root 25897 0.0 0.0 8860 644 ? S+ 18:48 0:00 grep > >> --color=auto syscheck > >> root@ossec283-server:/var/ossec/queue/syscheck# > >> /var/ossec/bin/ossec-syscheckd -df > >> 2016/07/22 18:48:50 ossec-syscheckd: DEBUG: Starting ... > >> 2016/07/22 18:48:50 ossec-rootcheck: DEBUG: Starting ... > >> 2016/07/22 18:48:50 ossec-rootcheck: Starting queue ... > >> 2016/07/22 18:48:50 ossec-syscheckd: INFO: (unix_domain) Maximum send > >> buffer set to: '212992'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: (unix_domain) Maximum send > >> buffer set to: '212992'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Started (pid: 25898). > >> 2016/07/22 18:48:54 ossec-rootcheck: INFO: Started (pid: 25898). > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > '/etc'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > >> '/usr/bin'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > >> '/usr/sbin'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > '/bin'. > >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: > '/sbin'. > >> > >> > >> > thank you, > >> > > >> > On Friday, July 22, 2016 at 2:41:03 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected]> wrote: > >> >> > ok > >> >> > > >> >> > so basically you configured the same things as i did in the > >> >> > ossec.conf > >> >> > or in > >> >> > the agent.conf ? > >> >> > > >> >> > >> >> You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in > the > >> >> server's ossec.conf. It does nothing good anywhere else. > >> >> > >> >> > Thank you, > >> >> > > >> >> > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> > wrote: > >> >> >> > actually i decided to try locally because i would like to see > in > >> >> >> > both > >> >> >> > cases > >> >> >> > if a user was to modify a specific text file in the ossec > server i > >> >> >> > would > >> >> >> > like to get an alert that would to the very least tell what was > >> >> >> > changed > >> >> >> > and > >> >> >> > what is the new text that was written. which is why i modified > the > >> >> >> > option in > >> >> >> > ossec.conf > >> >> >> > > >> >> >> > <syscheck> > >> >> >> > <!-- Frequency that syscheck is executed - default to every > 22 > >> >> >> > hours > >> >> >> > --> > >> >> >> > <frequency>360</frequency> > >> >> >> > <auto_ignore>no</auto_ignore> > >> >> >> > > >> >> >> > <!-- Directories to check (perform all possible > >> >> >> > verifications) > >> >> >> > <directories > >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> >> > <directories check_all="yes">/bin,/sbin</directories> > >> >> >> > <directories report_changes="yes" > >/input/ossec/</directories> > >> >> >> > however when i launch this script > >> >> >> > bin/ossec-syscheckd > >> >> >> > > >> >> >> > i get the following error: > >> >> >> > > >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory > >> >> >> > provided > >> >> >> > for > >> >> >> > syscheck to monitor. > >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. > >> >> >> > > >> >> >> > is it to say that syscheck is disabled on agents or on the > server > >> >> >> > ? > >> >> >> > any > >> >> >> > idea's? > >> >> >> > > >> >> >> > >> >> >> The agents don't do the processing. They collect the hashes and > >> >> >> forward them to the server for analysis and alerting. > >> >> >> The auto_ignore option is only valid on a server (or a local > >> >> >> installation), not an agent. > >> >> >> > >> >> >> And I just tested it. I managed to get alerts after setting the > >> >> >> auto_ignore option, even though there were 3+ previous changes to > >> >> >> the > >> >> >> monitored file. > >> >> >> > >> >> >> > Thank you, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) > wrote: > >> >> >> >> > >> >> >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> > >> >> >> >> wrote: > >> >> >> >> > Hi Dan, > >> >> >> >> > > >> >> >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck > >> >> >> >> > section > >> >> >> >> > and > >> >> >> >> > for > >> >> >> >> > some reason it simply does not trigger. > >> >> >> >> > > >> >> >> >> > Is it possible that once it was triggered three times it > goes > >> >> >> >> > in a > >> >> >> >> > do > >> >> >> >> > not > >> >> >> >> > check list that i have to reset ? > >> >> >> >> > > >> >> >> >> > >> >> >> >> I don't think so, but I'm not positive. You set this on the > >> >> >> >> server > >> >> >> >> (if > >> >> >> >> this is an agent<>server setup), correct? > >> >> >> >> I'll try it out to see what happens. If it is an issue, you > may > >> >> >> >> have > >> >> >> >> to reset the syscheck db for that agent and take a new > baseline. > >> >> >> >> > >> >> >> >> > if ever i wish to perform the same locally is there a > different > >> >> >> >> > step > >> >> >> >> > ? > >> >> >> >> > > >> >> >> >> > Thank you, > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) > >> >> >> >> > wrote: > >> >> >> >> >> > >> >> >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> > > >> >> >> >> >> wrote: > >> >> >> >> >> > Hi , > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > I would like to setup a monitoring for a txt file that is > in > >> >> >> >> >> > a > >> >> >> >> >> > Linux > >> >> >> >> >> > server. > >> >> >> >> >> > I have configured the syscheck and selected Report_Change > to > >> >> >> >> >> > yes > >> >> >> >> >> > however > >> >> >> >> >> > after 3 changes it has stopped reporting any change i do > to > >> >> >> >> >> > the > >> >> >> >> >> > file. > >> >> >> >> >> > I > >> >> >> >> >> > would like the monitoring to act like an agentless and > alert > >> >> >> >> >> > whenever > >> >> >> >> >> > a > >> >> >> >> >> > change has been detected and also what exact text has > been > >> >> >> >> >> > changed > >> >> >> >> >> > with > >> >> >> >> >> > the > >> >> >> >> >> > information such as the owner and group of the individual > >> >> >> >> >> > that > >> >> >> >> >> > has > >> >> >> >> >> > performed > >> >> >> >> >> > the modification . Is this the correct setting i should > >> >> >> >> >> > setup > >> >> >> >> >> > for > >> >> >> >> >> > the > >> >> >> >> >> > directory ? > >> >> >> >> >> > > >> >> >> >> >> > <directories report_change="yes" > >> >> >> >> >> > check_all="yes">/input/ossec/</directories> > >> >> >> >> >> > > >> >> >> >> >> > Thank you, > >> >> >> >> >> > > >> >> >> >> >> > >> >> >> >> >> OSSEC stops reporting on files after they have changed 3 > times > >> >> >> >> >> by > >> >> >> >> >> default. Turn off the auto ignore feature if you don't want > >> >> >> >> >> this. > >> >> >> >> >> > >> >> >> >> >> Reporting the user that has modified a file is trickier. > You > >> >> >> >> >> need > >> >> >> >> >> to > >> >> >> >> >> monitor the file with some system process, and then ingest > >> >> >> >> >> those > >> >> >> >> >> logs > >> >> >> >> >> to find the change. Maybe auditd on Linux? > >> >> >> >> >> > >> >> >> >> >> > -- > >> >> >> >> >> > > >> >> >> >> >> > --- > >> >> >> >> >> > You received this message because you are subscribed to > the > >> >> >> >> >> > Google > >> >> >> >> >> > Groups > >> >> >> >> >> > "ossec-list" group. > >> >> >> >> >> > To unsubscribe from this group and stop receiving emails > >> >> >> >> >> > from > >> >> >> >> >> > it, > >> >> >> >> >> > send > >> >> >> >> >> > an > >> >> >> >> >> > email to [email protected]. > >> >> >> >> >> > For more options, visit > https://groups.google.com/d/optout. > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
