Thank you!

El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com 
> <javascript:>> wrote: 
> > Hi 
> > Does this still apply? 
> > I have this option enabled: <alert_new_files>yes</alert_new_files> along 
> > with the realtime=yes. 
> > 
> > From another post on the list: 
> >>In the past new files were not alerted in real time. I'm not sure if 
> >>this has changed. Any of the developers know? 
> > 
>
> Was there a response to this post? I don't think it's changed, but I'm 
> sure I miss commits here and there. 
>
> > 
> > Another question , by reading this 
> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> > I can see that there are values that can be adjusted, for example host 
> > information, by default 8, how do I interpret that, there greater the 
> number 
> > more verbose? I just made some modification under  /etc, created some 
> file 
>
> That would be the alert level. It does not change verbosity, just the 
> level of the alert. 
>
> > modified other just to test, but still have no e-mail, I'm only getting 
> an 
> > e-mail regarding a service log and nothing else, which is the parameter 
> to 
> > tell ossec to send all the issues? 
> > 
>
> For the new file, you probably need a full syscheck scan for it to be 
> picked up. 
> For the modified file, if it's already in the syscheck db, you should 
> be alerted relatively quickly (if realtime is enabled and currently 
> running). 
>
> Other than that, OSSEC should send all alerts. 
>
> > Last question: 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
> > monitoring (not started). 
> > 
> > Which service is not started?  the doc says the package inotify should 
> be 
> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> > 
>
> That doesn't indicate that a service hasn't started, just that the 
> realtime feature hasn't started working yet. 
> There's a delay for realtime to start. 
>
> > Thank you very much!! 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> 
> wrote: 
> >> > 
> >> > Hi 
> >> > Let's see, shouldn't I have to configure on each tag to which 
> directory 
> >> > I 
> >> > want to apply it? as in check_all , directories,  realtime and which 
> >> > directories, or are they global parameters? that's why I included 
> home 
> >> > and 
> >> > root on both of them. 
> >> > 
> >> 
> >> 
> >> Each option applies to the directories configured in it. 
> >> 
> >> > <directories 
> >> > 
> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> 
>
> >> > 
> >> 
> >> This checks all of the hashes, owner, and permissions. 
> >> 
> >> >  <directories realtime="yes" 
> >> > check_all="yes">/root,/home,/etc</directories> 
> >> > 
> >> 
> >> This does realtime checks of all of the above, and should produce an 
> >> error because the "/root," "/home," and "/etc" directories are 
> >> duplicated. 
> >> Duplication of directories can cause issues, so it's best not to do 
> >> it. The way to solve this is not to duplicate these directories in the 
> >> second configuration by not including them in the first. 
> >> For example: 
> >> 
> >> <directories 
> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> <directories check_all="yes" 
> realtime="yes">/root,/home,/etc</directories> 
> >> 
> >> Now, if you want to add "report_changes" to /etc, you'll have to 
> >> remove it from the above configuration. You'll end up with: 
> >> 
> >> <directories 
> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> <directories check_all="yes" realtime="yes">/root,/home</directories> 
> >> <directories check_all="yes" realtime="yes" 
> >> report_changes="yes">/etc</directories> 
> >> 
> >> > 
> >> > Thank you very much 
> >> > Best Regerds 
> >> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to