Victor, The nightly scans are working just fine. That's not the problem The problem is the real time scans are not working. Each night around 1am, I get various reports of changed or added files....all good there. However, during the day or really any time, if I edit/add/delete files in /etc or /root, I am not instantly getting alerted. In other words, the realtime scan is not monitoring those directories, even though it states:
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'. 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time monitoring: '/root'. On Mon, Aug 1, 2016 at 6:25 PM, Victor Fernandez <[email protected]> wrote: > Hi Daniel. > > I had never used <scan_time> before, but I think it works for weekly > scans since OSSEC prints this log (even when setting frequency=84800): > > 2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800 > seconds > > This amount of time is one week, so I think that <scan_time> works only > for weekly scans, and then you should also introduce the the <scan_day> > parameter, since it appears to have no default value. For example: > > <scan_time>1am</scan_time> > <scan_day>monday</scan_day> > > I tested that configuration and Syscheck appears to work properly. > > Hope it helps. > > Best regards. > > > On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote: >> >> Can someone verify that all the proper settings are in place to allow for >> realtime scans on some directories? We are running CentOS 6 servers >> (manager and agents/clients), and we use the Atomic install method. >> >> Here is the latest available Atomic version installed (also noted inotify >> is installed) >> $ rpm -qa | egrep "inotify|ossec" >> ossec-hids-2.8.3-53.el6.art.x86_64 >> inotify-tools-3.14-1.el6.x86_64 >> ossec-hids-client-2.8.3-53.el6.art.x86_64 >> >> >> Here is the important part of /var/ossec/etc/shared/agent.conf >> <agent_config os="Linux"> >> <syscheck> >> <scan_time>1am</scan_time> >> <frequency>82800</frequency> >> <auto_ignore>no</auto_ignore> >> <alert_new_files>yes</alert_new_files> >> <scan_on_start>no</scan_on_start> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/bin,/sbin,/usr,/opt</directories> >> <directories check_all="yes" >> report_changes="yes" >> realtime="yes">/etc,/root,/var/named,/var/www</directories> >> ... >> >> Here is the agent /var/ossec/etc/ossec.conf file >> <ossec_config> >> <client> >> <server-ip>10.10.10.10</server-ip> >> </client> >> </ossec_config> >> >> The above exists on all our agents/clients. >> >> On the manager, it pretty much matches up exactly, with the exception >> that the server is installed, and not the client: >> $ rpm -qa | egrep "inotify|ossec" >> inotify-tools-3.14-1.el6.x86_64 >> ossec-hids-server-2.8.3-53.el6.art.x86_64 >> ossec-hids-2.8.3-53.el6.art.x86_64 >> >> >> I have gone in an updated all servers (yum -y update) and rebooted to the >> latest kernel available on CentOS 6. I've waited a few days for the normal >> scans to complete, and I am seeing alerts for nightly changed files. >> However, when I run a test on a file that exists in /root or /etc, I never >> get alerted. The test is simply >> $ sudo vim /etc/hosts.allow >> ...and I add/remove some entries, and :wq out for the update. >> >> After a clean update and reboot, here is the relevant log entries: >> 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ... >> 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ... >> 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ... >> 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send >> buffer set to: '124928'. >> 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server ( >> 10.10.10.10:1514). >> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/messages'. >> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/secure'. >> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/maillog'. >> 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120). >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send >> buffer set to: '124928'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124). >> 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124). >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> '/var/named'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: >> '/var/www'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/etc'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/root'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/var/named'. >> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time >> monitoring: '/var/www'. >> 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0 >> >> >> >> Is there anything obvious that I'm missing in the configs? >> >> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/ZOJUW-SxzQA/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
