Hi Rocio, thank you for the link, i will definitly work on it and give you a feedback . Thank you =)
On Wednesday, July 27, 2016 at 5:14:48 PM UTC-4, Rocio Romero wrote: > > Hi EvilZ, > > I think this link can be useful for you :) > > > http://blog.wazuh.com/configure-ossec-to-report-changes-in-the-content-of-a-text-file/ > > Let me know if you get it! > > Best, > > Rocio > > On Wednesday, July 27, 2016 at 11:57:57 AM UTC-7, EvilZ wrote: >> >> Hi Dan, >> >> well i solved the issue by reinstalling Ossec (its a test environment) >> anyway so the syscheck is now functional however i have basically have one >> last question and its about the actual information that is pulled from >> alerts.log. >> My goal is to have a text file that will have a list who will be updated >> every now and then and I would like for the monitoring to tell me what is >> the next text that has been added. So far all i see is Checksum however not >> the text.... >> >> any clues ? >> >> On Monday, July 25, 2016 at 8:01:49 AM UTC-4, dan (ddpbsd) wrote: >>> >>> On Fri, Jul 22, 2016 at 2:59 PM, EvilZ <[email protected]> wrote: >>> > Hi Dan, >>> > >>> > well here is what i get when i launch the commdand ossec-syscheckd -df >>> > >>> > it still mentions Syscheck disabled..... >>> > that is so weird...... >>> > >>> >>> What is your <syscheck> configuration on that system? >>> >>> > [root@LNA-ALA-FIM ossec]# bin/ossec-syscheckd -df >>> > 2016/07/22 14:54:13 ossec-syscheckd: DEBUG: Starting ... >>> > 2016/07/22 14:54:13 ossec-syscheckd(1702): INFO: No directory provided >>> for >>> > syscheck to monitor. >>> > 2016/07/22 14:54:13 ossec-syscheckd: WARN: Syscheck disabled. >>> > 2016/07/22 14:54:13 ossec-rootcheck: DEBUG: Starting ... >>> > 2016/07/22 14:54:13 ossec-rootcheck: Starting queue ... >>> > 2016/07/22 14:54:13 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> buffer >>> > set to: '124928'. >>> > 2016/07/22 14:54:17 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> buffer >>> > set to: '124928'. >>> > 2016/07/22 14:54:17 ossec-syscheckd: INFO: Started (pid: 4502). >>> > 2016/07/22 14:54:17 ossec-rootcheck: INFO: Started (pid: 4502). >>> > >>> > >>> > On Friday, July 22, 2016 at 2:49:29 PM UTC-4, dan (ddpbsd) wrote: >>> >> >>> >> On Fri, Jul 22, 2016 at 2:44 PM, EvilZ <[email protected]> wrote: >>> >> > ok not a problem, >>> >> > >>> >> > just to make sure, when you launch the script ossec-syscheckd does >>> it >>> >> > inform >>> >> > you that it is disabled ? >>> >> > >>> >> >>> >> AGENT: >>> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# pkill ossec-syscheckd >>> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# ps auxww | grep >>> >> ossec-syscheckd >>> >> root 21118 0.0 0.0 8860 648 ? S+ 18:48 0:00 grep >>> >> --color=auto ossec-syscheckd >>> >> root@ossec283-agent:~/ossec-hids-2.8.3/src# >>> /var/ossec/bin/ossec-syscheckd >>> >> -df >>> >> 2016/07/22 18:48:17 ossec-syscheckd: DEBUG: Starting ... >>> >> 2016/07/22 18:48:17 ossec-rootcheck: DEBUG: Starting ... >>> >> 2016/07/22 18:48:17 ossec-rootcheck: Starting queue ... >>> >> 2016/07/22 18:48:17 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> >> buffer set to: '212992'. >>> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> >> buffer set to: '212992'. >>> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Started (pid: 21119). >>> >> 2016/07/22 18:48:21 ossec-rootcheck: INFO: Started (pid: 21119). >>> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: >>> >> '/var/test'. >>> >> 2016/07/22 18:48:21 ossec-syscheckd: INFO: Monitoring directory: >>> >> '/var/ossec/etc'. >>> >> >>> >> SERVER: >>> >> root@ossec283-server:/var/ossec/queue/syscheck# pkill ossec-syscheckd >>> >> root@ossec283-server:/var/ossec/queue/syscheck# ps auxww | grep >>> syscheck >>> >> root 25897 0.0 0.0 8860 644 ? S+ 18:48 0:00 grep >>> >> --color=auto syscheck >>> >> root@ossec283-server:/var/ossec/queue/syscheck# >>> >> /var/ossec/bin/ossec-syscheckd -df >>> >> 2016/07/22 18:48:50 ossec-syscheckd: DEBUG: Starting ... >>> >> 2016/07/22 18:48:50 ossec-rootcheck: DEBUG: Starting ... >>> >> 2016/07/22 18:48:50 ossec-rootcheck: Starting queue ... >>> >> 2016/07/22 18:48:50 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> >> buffer set to: '212992'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: (unix_domain) Maximum send >>> >> buffer set to: '212992'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Started (pid: 25898). >>> >> 2016/07/22 18:48:54 ossec-rootcheck: INFO: Started (pid: 25898). >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >>> '/etc'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >>> >> '/usr/bin'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >>> >> '/usr/sbin'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >>> '/bin'. >>> >> 2016/07/22 18:48:54 ossec-syscheckd: INFO: Monitoring directory: >>> '/sbin'. >>> >> >>> >> >>> >> > thank you, >>> >> > >>> >> > On Friday, July 22, 2016 at 2:41:03 PM UTC-4, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Fri, Jul 22, 2016 at 2:19 PM, EvilZ <[email protected]> >>> wrote: >>> >> >> > ok >>> >> >> > >>> >> >> > so basically you configured the same things as i did in the >>> >> >> > ossec.conf >>> >> >> > or in >>> >> >> > the agent.conf ? >>> >> >> > >>> >> >> >>> >> >> You mean the "<auto_ignore>no</auto_ignore>" option? It belongs in >>> the >>> >> >> server's ossec.conf. It does nothing good anywhere else. >>> >> >> >>> >> >> > Thank you, >>> >> >> > >>> >> >> > On Friday, July 22, 2016 at 12:54:13 PM UTC-4, dan (ddpbsd) >>> wrote: >>> >> >> >> >>> >> >> >> On Fri, Jul 22, 2016 at 12:44 PM, EvilZ <[email protected]> >>> wrote: >>> >> >> >> > actually i decided to try locally because i would like to see >>> in >>> >> >> >> > both >>> >> >> >> > cases >>> >> >> >> > if a user was to modify a specific text file in the ossec >>> server i >>> >> >> >> > would >>> >> >> >> > like to get an alert that would to the very least tell what >>> was >>> >> >> >> > changed >>> >> >> >> > and >>> >> >> >> > what is the new text that was written. which is why i >>> modified the >>> >> >> >> > option in >>> >> >> >> > ossec.conf >>> >> >> >> > >>> >> >> >> > <syscheck> >>> >> >> >> > <!-- Frequency that syscheck is executed - default to >>> every 22 >>> >> >> >> > hours >>> >> >> >> > --> >>> >> >> >> > <frequency>360</frequency> >>> >> >> >> > <auto_ignore>no</auto_ignore> >>> >> >> >> > >>> >> >> >> > <!-- Directories to check (perform all possible >>> >> >> >> > verifications) >>> >> >> >> > <directories >>> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> >> >> >> > <directories check_all="yes">/bin,/sbin</directories> >>> >> >> >> > <directories report_changes="yes" >>> >/input/ossec/</directories> >>> >> >> >> > however when i launch this script >>> >> >> >> > bin/ossec-syscheckd >>> >> >> >> > >>> >> >> >> > i get the following error: >>> >> >> >> > >>> >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd(1702): INFO: No directory >>> >> >> >> > provided >>> >> >> >> > for >>> >> >> >> > syscheck to monitor. >>> >> >> >> > 2016/07/22 12:39:23 ossec-syscheckd: WARN: Syscheck disabled. >>> >> >> >> > >>> >> >> >> > is it to say that syscheck is disabled on agents or on the >>> server >>> >> >> >> > ? >>> >> >> >> > any >>> >> >> >> > idea's? >>> >> >> >> > >>> >> >> >> >>> >> >> >> The agents don't do the processing. They collect the hashes and >>> >> >> >> forward them to the server for analysis and alerting. >>> >> >> >> The auto_ignore option is only valid on a server (or a local >>> >> >> >> installation), not an agent. >>> >> >> >> >>> >> >> >> And I just tested it. I managed to get alerts after setting the >>> >> >> >> auto_ignore option, even though there were 3+ previous changes >>> to >>> >> >> >> the >>> >> >> >> monitored file. >>> >> >> >> >>> >> >> >> > Thank you, >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > On Friday, July 22, 2016 at 12:36:53 PM UTC-4, dan (ddpbsd) >>> wrote: >>> >> >> >> >> >>> >> >> >> >> On Fri, Jul 22, 2016 at 12:14 PM, EvilZ <[email protected]> >>> >>> >> >> >> >> wrote: >>> >> >> >> >> > Hi Dan, >>> >> >> >> >> > >>> >> >> >> >> > I plated the<auto_ignore>no<auto_ignore> in the syscheck >>> >> >> >> >> > section >>> >> >> >> >> > and >>> >> >> >> >> > for >>> >> >> >> >> > some reason it simply does not trigger. >>> >> >> >> >> > >>> >> >> >> >> > Is it possible that once it was triggered three times it >>> goes >>> >> >> >> >> > in a >>> >> >> >> >> > do >>> >> >> >> >> > not >>> >> >> >> >> > check list that i have to reset ? >>> >> >> >> >> > >>> >> >> >> >> >>> >> >> >> >> I don't think so, but I'm not positive. You set this on the >>> >> >> >> >> server >>> >> >> >> >> (if >>> >> >> >> >> this is an agent<>server setup), correct? >>> >> >> >> >> I'll try it out to see what happens. If it is an issue, you >>> may >>> >> >> >> >> have >>> >> >> >> >> to reset the syscheck db for that agent and take a new >>> baseline. >>> >> >> >> >> >>> >> >> >> >> > if ever i wish to perform the same locally is there a >>> different >>> >> >> >> >> > step >>> >> >> >> >> > ? >>> >> >> >> >> > >>> >> >> >> >> > Thank you, >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> >> > >>> >> >> >> >> > On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan >>> (ddpbsd) >>> >> >> >> >> > wrote: >>> >> >> >> >> >> >>> >> >> >> >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ < >>> [email protected]> >>> >> >> >> >> >> wrote: >>> >> >> >> >> >> > Hi , >>> >> >> >> >> >> > >>> >> >> >> >> >> > >>> >> >> >> >> >> > I would like to setup a monitoring for a txt file that >>> is in >>> >> >> >> >> >> > a >>> >> >> >> >> >> > Linux >>> >> >> >> >> >> > server. >>> >> >> >> >> >> > I have configured the syscheck and selected >>> Report_Change to >>> >> >> >> >> >> > yes >>> >> >> >> >> >> > however >>> >> >> >> >> >> > after 3 changes it has stopped reporting any change i >>> do to >>> >> >> >> >> >> > the >>> >> >> >> >> >> > file. >>> >> >> >> >> >> > I >>> >> >> >> >> >> > would like the monitoring to act like an agentless and >>> alert >>> >> >> >> >> >> > whenever >>> >> >> >> >> >> > a >>> >> >> >> >> >> > change has been detected and also what exact text has >>> been >>> >> >> >> >> >> > changed >>> >> >> >> >> >> > with >>> >> >> >> >> >> > the >>> >> >> >> >> >> > information such as the owner and group of the >>> individual >>> >> >> >> >> >> > that >>> >> >> >> >> >> > has >>> >> >> >> >> >> > performed >>> >> >> >> >> >> > the modification . Is this the correct setting i should >>> >> >> >> >> >> > setup >>> >> >> >> >> >> > for >>> >> >> >> >> >> > the >>> >> >> >> >> >> > directory ? >>> >> >> >> >> >> > >>> >> >> >> >> >> > <directories report_change="yes" >>> >> >> >> >> >> > check_all="yes">/input/ossec/</directories> >>> >> >> >> >> >> > >>> >> >> >> >> >> > Thank you, >>> >> >> >> >> >> > >>> >> >> >> >> >> >>> >> >> >> >> >> OSSEC stops reporting on files after they have changed 3 >>> times >>> >> >> >> >> >> by >>> >> >> >> >> >> default. Turn off the auto ignore feature if you don't >>> want >>> >> >> >> >> >> this. >>> >> >> >> >> >> >>> >> >> >> >> >> Reporting the user that has modified a file is trickier. >>> You >>> >> >> >> >> >> need >>> >> >> >> >> >> to >>> >> >> >> >> >> monitor the file with some system process, and then >>> ingest >>> >> >> >> >> >> those >>> >> >> >> >> >> logs >>> >> >> >> >> >> to find the change. Maybe auditd on Linux? >>> >> >> >> >> >> >>> >> >> >> >> >> > -- >>> >> >> >> >> >> > >>> >> >> >> >> >> > --- >>> >> >> >> >> >> > You received this message because you are subscribed to >>> the >>> >> >> >> >> >> > Google >>> >> >> >> >> >> > Groups >>> >> >> >> >> >> > "ossec-list" group. >>> >> >> >> >> >> > To unsubscribe from this group and stop receiving >>> emails >>> >> >> >> >> >> > from >>> >> >> >> >> >> > it, >>> >> >> >> >> >> > send >>> >> >> >> >> >> > an >>> >> >> >> >> >> > email to [email protected]. >>> >> >> >> >> >> > For more options, visit >>> https://groups.google.com/d/optout. >>> >> >> >> >> > >>> >> >> >> >> > -- >>> >> >> >> >> > >>> >> >> >> >> > --- >>> >> >> >> >> > You received this message because you are subscribed to >>> the >>> >> >> >> >> > Google >>> >> >> >> >> > Groups >>> >> >> >> >> > "ossec-list" group. >>> >> >> >> >> > To unsubscribe from this group and stop receiving emails >>> from >>> >> >> >> >> > it, >>> >> >> >> >> > send >>> >> >> >> >> > an >>> >> >> >> >> > email to [email protected]. >>> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >>> >> >> >> > >>> >> >> >> > -- >>> >> >> >> > >>> >> >> >> > --- >>> >> >> >> > You received this message because you are subscribed to the >>> Google >>> >> >> >> > Groups >>> >> >> >> > "ossec-list" group. >>> >> >> >> > To unsubscribe from this group and stop receiving emails from >>> it, >>> >> >> >> > send >>> >> >> >> > an >>> >> >> >> > email to [email protected]. >>> >> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the >>> Google >>> >> >> > Groups >>> >> >> > "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from >>> it, >>> >> >> > send >>> >> >> > an >>> >> >> > email to [email protected]. >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
