Hello,

I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't 
behaving consistently.

First realtime monitoring simply isn't working. FIM only seem to work when 
the scan runs, which I have set to 10 minutes for testing. Second I only 
seem to get a fraction of the changes I've made. For testing I have 4 
folder, and I make 2 changes in each folder, usually an edit and a delete 
and/or add. I just did that 2 time sin the last hour, so 16 changes, and I 
received only alerts for 3 of those changes.

The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. 
The agent does say "INFO: Real time file monitoring started.".

Following are the configs for the manager server and the agent server. Is 
there something I am missing? 

Manager

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_maxperhour>500</email_maxperhour>
    <email_to>redac...@redacted.com</email_to>
    <smtp_server>redacted.redacted.com</smtp_server>
    <email_from>redac...@redacted.com</email_from>
    <logall>yes</logall>
  </global>

Agent, yes the lines are intentionally each a little different for the 
directories to monitor while fiddling with this. If one is wrong please let 
me know.

  <!-- Syscheck - Integrity Checking config. -->
  <syscheck>
  
    <!-- Default frequency, every 20 hours. It doesn't need to be higher
      -  on most systems and one a day should be enough.
      -->
    <frequency>600</frequency>
    <alert_new_files>yes</alert_new_files>
    <auto_ignore>no</auto_ignore>
    <!-- By default it is disabled. In the Install you must choose
      -  to enable it.
      -->
    <disabled>no</disabled>  

    <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
    <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
    <directories check_all="yes" report_changes="yes" 
realtime="yes">C:\TestOSS3</directories>
    <directories realtime="yes" report_changes="yes" 
check_all="yes">C:\TestOSS4</directories>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>

Thanks,
Matt

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to