On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwarrior...@gmail.com> wrote: > Hi > Does this still apply? > I have this option enabled: <alert_new_files>yes</alert_new_files> along > with the realtime=yes. > > From another post on the list: >>In the past new files were not alerted in real time. I'm not sure if >>this has changed. Any of the developers know? >
Was there a response to this post? I don't think it's changed, but I'm sure I miss commits here and there. > > Another question , by reading this > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > I can see that there are values that can be adjusted, for example host > information, by default 8, how do I interpret that, there greater the number > more verbose? I just made some modification under /etc, created some file That would be the alert level. It does not change verbosity, just the level of the alert. > modified other just to test, but still have no e-mail, I'm only getting an > e-mail regarding a service log and nothing else, which is the parameter to > tell ossec to send all the issues? > For the new file, you probably need a full syscheck scan for it to be picked up. For the modified file, if it's already in the syscheck db, you should be alerted relatively quickly (if realtime is enabled and currently running). Other than that, OSSEC should send all alerts. > Last question: > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > > Which service is not started? the doc says the package inotify should be > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > That doesn't indicate that a service hasn't started, just that the realtime feature hasn't started working yet. There's a delay for realtime to start. > Thank you very much!! > Regards > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> wrote: >> > >> > Hi >> > Let's see, shouldn't I have to configure on each tag to which directory >> > I >> > want to apply it? as in check_all , directories, realtime and which >> > directories, or are they global parameters? that's why I included home >> > and >> > root on both of them. >> > >> >> >> Each option applies to the directories configured in it. >> >> > <directories >> > >> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> >> > >> >> This checks all of the hashes, owner, and permissions. >> >> > <directories realtime="yes" >> > check_all="yes">/root,/home,/etc</directories> >> > >> >> This does realtime checks of all of the above, and should produce an >> error because the "/root," "/home," and "/etc" directories are >> duplicated. >> Duplication of directories can cause issues, so it's best not to do >> it. The way to solve this is not to duplicate these directories in the >> second configuration by not including them in the first. >> For example: >> >> <directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes" realtime="yes">/root,/home,/etc</directories> >> >> Now, if you want to add "report_changes" to /etc, you'll have to >> remove it from the above configuration. You'll end up with: >> >> <directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes" realtime="yes">/root,/home</directories> >> <directories check_all="yes" realtime="yes" >> report_changes="yes">/etc</directories> >> >> > >> > Thank you very much >> > Best Regerds >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
