On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic <netwarrior...@gmail.com> wrote: > Taking a look in /var/ossec/logs/alerts I can see there are lots of things > registered, no related to the files I modified, but related to ssh login > failures, sudo stuff and the like but never get an e-mail with that report. >
Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? Do you have alert_new_files turned on in the OSSEC server's ossec.conf? Did you modify the rule that alerts on new files to raise the level to something greater than 0? Did you restart the OSSEC processes on the OSSEC server after making these changes? > Thank you very much for your time and support > Regards > > > > > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: >> >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com> wrote: >> > Hi >> > Does this still apply? >> > I have this option enabled: <alert_new_files>yes</alert_new_files> along >> > with the realtime=yes. >> > >> > From another post on the list: >> >>In the past new files were not alerted in real time. I'm not sure if >> >>this has changed. Any of the developers know? >> > >> >> Was there a response to this post? I don't think it's changed, but I'm >> sure I miss commits here and there. >> >> > >> > Another question , by reading this >> > >> > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html >> > I can see that there are values that can be adjusted, for example host >> > information, by default 8, how do I interpret that, there greater the >> > number >> > more verbose? I just made some modification under /etc, created some >> > file >> >> That would be the alert level. It does not change verbosity, just the >> level of the alert. >> >> > modified other just to test, but still have no e-mail, I'm only getting >> > an >> > e-mail regarding a service log and nothing else, which is the parameter >> > to >> > tell ossec to send all the issues? >> > >> >> For the new file, you probably need a full syscheck scan for it to be >> picked up. >> For the modified file, if it's already in the syscheck db, you should >> be alerted relatively quickly (if realtime is enabled and currently >> running). >> >> Other than that, OSSEC should send all alerts. >> >> > Last question: >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file >> > monitoring (not started). >> > >> > Which service is not started? the doc says the package inotify should >> > be >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 >> > >> >> That doesn't indicate that a service hasn't started, just that the >> realtime feature hasn't started working yet. >> There's a delay for realtime to start. >> >> > Thank you very much!! >> > Regards >> > >> > >> > >> > >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) >> > escribió: >> >> >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> >> >> wrote: >> >> > >> >> > Hi >> >> > Let's see, shouldn't I have to configure on each tag to which >> >> > directory >> >> > I >> >> > want to apply it? as in check_all , directories, realtime and which >> >> > directories, or are they global parameters? that's why I included >> >> > home >> >> > and >> >> > root on both of them. >> >> > >> >> >> >> >> >> Each option applies to the directories configured in it. >> >> >> >> > <directories >> >> > >> >> > >> >> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> >> >> > >> >> >> >> This checks all of the hashes, owner, and permissions. >> >> >> >> > <directories realtime="yes" >> >> > check_all="yes">/root,/home,/etc</directories> >> >> > >> >> >> >> This does realtime checks of all of the above, and should produce an >> >> error because the "/root," "/home," and "/etc" directories are >> >> duplicated. >> >> Duplication of directories can cause issues, so it's best not to do >> >> it. The way to solve this is not to duplicate these directories in the >> >> second configuration by not including them in the first. >> >> For example: >> >> >> >> <directories >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> >> >> <directories check_all="yes" >> >> realtime="yes">/root,/home,/etc</directories> >> >> >> >> Now, if you want to add "report_changes" to /etc, you'll have to >> >> remove it from the above configuration. You'll end up with: >> >> >> >> <directories >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> >> >> <directories check_all="yes" realtime="yes">/root,/home</directories> >> >> <directories check_all="yes" realtime="yes" >> >> report_changes="yes">/etc</directories> >> >> >> >> > >> >> > Thank you very much >> >> > Best Regerds >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
