On Sep 7, 2016 7:33 AM, "duy cuong" <[email protected]> wrote: > > hi all! > > Issue 1. > > I have same problem when followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 > > ossec.conf > > <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories> > <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/freeman,/var/www</directories> > > > override rule_id=554 at /rules/local_rules.xml > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> >
Are you not seeing new file alerts in alerts.log or not seeing alerts for file modifications in realtime? > > > ossec.log > > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/home/freeeman'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/var/www'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/sbin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/bin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/sbin'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/home/freeman'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/www'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/etc/apache2/apache2.conf'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. > 2016/09/07 14:50:54 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. > 2016/09/07 14:50:54 ossec-logcollector: INFO: Monitoring output of command(360): df -h > 2016/09/07 14:50:54 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > 2016/09/07 14:50:54 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5 > 2016/09/07 14:50:54 ossec-logcollector: INFO: Started (pid: 29259). > 2016/09/07 14:51:19 ossec-dbd: INFO: Started (pid: 29242). > 2016/09/07 14:51:54 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). > 2016/09/07 14:51:54 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). > 2016/09/07 14:51:54 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). > > > ----- > Issue 2 > > I did not receive an email alert when appearing Rule Id: 5501, 5502, 5503 and 31106 > I have defined <localfile> on ossec.conf, It's show up on WebUI but not send email alert. > > <localfile> > <log_format>apache</log_format> > <location>/etc/apache2/apache2.conf</location> > </localfile> > Is this really a log file? What is your alerting/email configuration? Are you receiving emails for other alerts? > > > > > > > Thanks and Regards, > > > > > > On Friday, 29 May 2015 19:47:24 UTC+7, [email protected] wrote: >> >> Hi >> >> I installed OSSEC in a Ubuntu 14.04 box but realtime monitoring is not working for me. >> >> "In the logs i get this: 2015/05/29 14:00:40 ossec-syscheckd: INFO: Initializing real time file monitoring (not started)." and it's like this for the last 40 minutes. >> >> If i modify, add or delete a file i don't get any notification. >> >> I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 in case it helps. >> >> > > > > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/home/freeman'. > 2016/09/07 14:50:52 ossec-syscheckd: INFO: Monitoring directory: '/var/www'. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
