Hi EvilZ, I think this link can be useful for you :)
http://blog.wazuh.com/configure-ossec-to-report-changes-in-the-content-of-a-text-file/ Let me know if you get it! Best, Rocio On Wednesday, July 27, 2016 at 11:57:57 AM UTC-7, EvilZ wrote: > > Hi Dan, > > well i solved the issue by reinstalling Ossec (its a test environment) > anyway so the syscheck is now functional however i have basically have one > last question and its about the actual information that is pulled from > alerts.log. > My goal is to have a text file that will have a list who will be updated > every now and then and I would like for the monitoring to tell me what is > the next text that has been added. So far all i see is Checksum however not > the text.... > > any clues ? > > On Monday, July 25, 2016 at 8:01:49 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jul 22, 2016 at 2:59 PM, EvilZ <[email protected]> wrote: >> > Hi Dan, >> > >> > well here is what i get when i launch the commdand ossec-syscheckd -df >> > >> > it still mentions Syscheck disabled..... >> > that is so weird...... >> > >> >> What is your <syscheck> configuration on that system? >> >> > [root@LNA-ALA-FIM ossec]# bin/ossec-syscheckd -df >> > 2016/07/22 14:54:13 ossec-syscheckd: DEBUG: Starting ... >> > 2016/07/22 14:54:13 ossec-syscheckd(1702): INFO: No directory provided >> for >> > syscheck to monitor. >> > 2016/07/22 14:54:13 ossec-syscheckd: WARN: Syscheck disabled. >> > 2016/07/22 14:54:13 ossec-rootcheck: DEBUG: Starting ... >> > 2016/07/22 14:54:13 ossec-rootcheck: Starting queue ... >> > 2016/07/22 14:54:13 ossec-syscheckd: INFO: (unix_domain) Maximum send >> buffer >> > set to: '124928'. >> > 2016/07/22 14:54:17 ossec-syscheckd: INFO: (unix_domain) Maximum send >> buffer >> > set to: '124928'. >> > 2016/07/22 14:54:17 ossec-syscheckd: INFO: Started (pid: 4502). >> > 2016/07/22 14:54:17 ossec-rootcheck: INFO: Started (pid: 4502). >> > >> > >> > On Friday, July 22, 2016 at 2:49:29 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Jul 22, 2016 at 2:44 PM, EvilZ <[email protected]> wrote: >> >> > ok not a problem, >> >> > >> >> > just to make sure, when you launch the script ossec-syscheckd does >> it >> >> > inform >> >> > you that it is disabled ? >> >> > >> >> >> >> AGENT: >> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# pkill ossec-syscheckd >> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# ps auxww | grep >> >> ossec-syscheckd >> >> root 21118 0.0 0.0 8860 648 ? S+ 18:48 0:00 grep >> >> --color=auto ossec-syscheckd >> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# >> /var/ossec/bin/ossec-syscheckd >> >> -df >> >> 2016/07/22 18:48:17 ossec-syscheckd: DEBUG: Starting ... >> >> 2016/07/22 18:48:17 ossec-rootcheck: DEBUG: Starting ... >> >> 2016/07/22 18:48:17 ossec-rootcheck: Starting queue ... >> >> 2016/07/22 18:48:17 ossec-syscheckd: INFO: (unix_domain) Maximum send >> >> buffer set to: '212992'. >> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: (unix_domain) Maximum send >> >> buffer set to: '212992'. >> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Started (pid: 21119). >> >> 2016/07/22 18:48:21 ossec-rootcheck: INFO: Started (pid: 21119). >> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: >> >> '/var/test'. >> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: >> >> '/var/ossec/etc'. >> >> >> >> SERVER: >> >> root@ossec283-server:/var/ossec/queue/syscheck# pkill ossec-syscheckd >> >> root@ossec283-server:/var/ossec/queue/syscheck# ps auxww | grep >> syscheck >> >> root 25897 0.0 0.0 8860 644 ? S+ 18:48 0:00 grep >> >> --color=auto syscheck >> >> root@ossec283-server:/var/ossec/queue/syscheck# >> >> /var/ossec/bin/ossec-syscheckd -df >> >> 2016/07/22 18:48:50 ossec-syscheckd: DEBUG: Starting ... >> >> 2016/07/22 18:48:50 ossec-rootcheck: DEBUG: Starting ... >> >> 2016/07/22 18:48:50 ossec-rootcheck: Starting queue ... >> >> 2016/07/22 18:48:50 ossec-syscheckd: INFO: (unix_domain) Maximum send >> >> buffer set to: '212992'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: (unix_domain) Maximum send >> >> buffer set to: '212992'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Started (pid: 25898). >> >> 2016/07/22 18:48:54 ossec-rootcheck: INFO: Started (pid: 25898). >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >> '/etc'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >> >> '/usr/bin'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >> >> '/usr/sbin'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >> '/bin'. >> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >> '/sbin'. >> >> >> >> >> >> > thank you, >> >> > >> >> > On Friday, July 22, 2016 at 2:41:03 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected]> wrote: >> >> >> > ok >> >> >> > >> >> >> > so basically you configured the same things as i did in the >> >> >> > ossec.conf >> >> >> > or in >> >> >> > the agent.conf ? >> >> >> > >> >> >> >> >> >> You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in >> the >> >> >> server's ossec.conf. It does nothing good anywhere else. >> >> >> >> >> >> > Thank you, >> >> >> > >> >> >> > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) >> wrote: >> >> >> >> >> >> >> >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> >> wrote: >> >> >> >> > actually i decided to try locally because i would like to see >> in >> >> >> >> > both >> >> >> >> > cases >> >> >> >> > if a user was to modify a specific text file in the ossec >> server i >> >> >> >> > would >> >> >> >> > like to get an alert that would to the very least tell what >> was >> >> >> >> > changed >> >> >> >> > and >> >> >> >> > what is the new text that was written. which is why i modified >> the >> >> >> >> > option in >> >> >> >> > ossec.conf >> >> >> >> > >> >> >> >> > <syscheck> >> >> >> >> > <!-- Frequency that syscheck is executed - default to >> every 22 >> >> >> >> > hours >> >> >> >> > --> >> >> >> >> > <frequency>360</frequency> >> >> >> >> > <auto_ignore>no</auto_ignore> >> >> >> >> > >> >> >> >> > <!-- Directories to check (perform all possible >> >> >> >> > verifications) >> >> >> >> > <directories >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >> >> > <directories check_all="yes">/bin,/sbin</directories> >> >> >> >> > <directories report_changes="yes" >> >/input/ossec/</directories> >> >> >> >> > however when i launch this script >> >> >> >> > bin/ossec-syscheckd >> >> >> >> > >> >> >> >> > i get the following error: >> >> >> >> > >> >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory >> >> >> >> > provided >> >> >> >> > for >> >> >> >> > syscheck to monitor. >> >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. >> >> >> >> > >> >> >> >> > is it to say that syscheck is disabled on agents or on the >> server >> >> >> >> > ? >> >> >> >> > any >> >> >> >> > idea's? >> >> >> >> > >> >> >> >> >> >> >> >> The agents don't do the processing. They collect the hashes and >> >> >> >> forward them to the server for analysis and alerting. >> >> >> >> The auto_ignore option is only valid on a server (or a local >> >> >> >> installation), not an agent. >> >> >> >> >> >> >> >> And I just tested it. I managed to get alerts after setting the >> >> >> >> auto_ignore option, even though there were 3+ previous changes >> to >> >> >> >> the >> >> >> >> monitored file. >> >> >> >> >> >> >> >> > Thank you, >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) >> wrote: >> >> >> >> >> >> >> >> >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Hi Dan, >> >> >> >> >> > >> >> >> >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck >> >> >> >> >> > section >> >> >> >> >> > and >> >> >> >> >> > for >> >> >> >> >> > some reason it simply does not trigger. >> >> >> >> >> > >> >> >> >> >> > Is it possible that once it was triggered three times it >> goes >> >> >> >> >> > in a >> >> >> >> >> > do >> >> >> >> >> > not >> >> >> >> >> > check list that i have to reset ? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> I don't think so, but I'm not positive. You set this on the >> >> >> >> >> server >> >> >> >> >> (if >> >> >> >> >> this is an agent<>server setup), correct? >> >> >> >> >> I'll try it out to see what happens. If it is an issue, you >> may >> >> >> >> >> have >> >> >> >> >> to reset the syscheck db for that agent and take a new >> baseline. >> >> >> >> >> >> >> >> >> >> > if ever i wish to perform the same locally is there a >> different >> >> >> >> >> > step >> >> >> >> >> > ? >> >> >> >> >> > >> >> >> >> >> > Thank you, >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Hi , >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > I would like to setup a monitoring for a txt file that >> is in >> >> >> >> >> >> > a >> >> >> >> >> >> > Linux >> >> >> >> >> >> > server. >> >> >> >> >> >> > I have configured the syscheck and selected >> Report_Change to >> >> >> >> >> >> > yes >> >> >> >> >> >> > however >> >> >> >> >> >> > after 3 changes it has stopped reporting any change i do >> to >> >> >> >> >> >> > the >> >> >> >> >> >> > file. >> >> >> >> >> >> > I >> >> >> >> >> >> > would like the monitoring to act like an agentless and >> alert >> >> >> >> >> >> > whenever >> >> >> >> >> >> > a >> >> >> >> >> >> > change has been detected and also what exact text has >> been >> >> >> >> >> >> > changed >> >> >> >> >> >> > with >> >> >> >> >> >> > the >> >> >> >> >> >> > information such as the owner and group of the >> individual >> >> >> >> >> >> > that >> >> >> >> >> >> > has >> >> >> >> >> >> > performed >> >> >> >> >> >> > the modification . Is this the correct setting i should >> >> >> >> >> >> > setup >> >> >> >> >> >> > for >> >> >> >> >> >> > the >> >> >> >> >> >> > directory ? >> >> >> >> >> >> > >> >> >> >> >> >> > <directories report_change="yes" >> >> >> >> >> >> > check_all="yes">/input/ossec/</directories> >> >> >> >> >> >> > >> >> >> >> >> >> > Thank you, >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> OSSEC stops reporting on files after they have changed 3 >> times >> >> >> >> >> >> by >> >> >> >> >> >> default. Turn off the auto ignore feature if you don't >> want >> >> >> >> >> >> this. >> >> >> >> >> >> >> >> >> >> >> >> Reporting the user that has modified a file is trickier. >> You >> >> >> >> >> >> need >> >> >> >> >> >> to >> >> >> >> >> >> monitor the file with some system process, and then ingest >> >> >> >> >> >> those >> >> >> >> >> >> logs >> >> >> >> >> >> to find the change. Maybe auditd on Linux? >> >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to >> the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit >> https://groups.google.com/d/optout. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the >> Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
