The server I'm using for testing went down, as soon as I get it back I'm 
gonna review it.

Thank you very much for your help, relly appreciated
Regards


El viernes, 14 de octubre de 2016, 10:26:53 (UTC-3), dan (ddpbsd) escribió:
>
> On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic <netwar...@gmail.com 
> <javascript:>> wrote: 
> > Taking a look in /var/ossec/logs/alerts I can see there are lots of 
> things 
> > registered, no related to the files I modified, but related to ssh login 
> > failures, sudo stuff and the like but never get an e-mail with that 
> report. 
> > 
>
> Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? 
> Do you have alert_new_files turned on in the OSSEC server's ossec.conf? 
> Did you modify the rule that alerts on new files to raise the level to 
> something greater than 0? 
> Did you restart the OSSEC processes on the OSSEC server after making 
> these changes? 
>
> > Thank you very much for your time and support 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic <netwar...@gmail.com> 
> wrote: 
> >> > Hi 
> >> > Does this still apply? 
> >> > I have this option enabled: <alert_new_files>yes</alert_new_files> 
> along 
> >> > with the realtime=yes. 
> >> > 
> >> > From another post on the list: 
> >> >>In the past new files were not alerted in real time. I'm not sure if 
> >> >>this has changed. Any of the developers know? 
> >> > 
> >> 
> >> Was there a response to this post? I don't think it's changed, but I'm 
> >> sure I miss commits here and there. 
> >> 
> >> > 
> >> > Another question , by reading this 
> >> > 
> >> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> >> > I can see that there are values that can be adjusted, for example 
> host 
> >> > information, by default 8, how do I interpret that, there greater the 
> >> > number 
> >> > more verbose? I just made some modification under  /etc, created some 
> >> > file 
> >> 
> >> That would be the alert level. It does not change verbosity, just the 
> >> level of the alert. 
> >> 
> >> > modified other just to test, but still have no e-mail, I'm only 
> getting 
> >> > an 
> >> > e-mail regarding a service log and nothing else, which is the 
> parameter 
> >> > to 
> >> > tell ossec to send all the issues? 
> >> > 
> >> 
> >> For the new file, you probably need a full syscheck scan for it to be 
> >> picked up. 
> >> For the modified file, if it's already in the syscheck db, you should 
> >> be alerted relatively quickly (if realtime is enabled and currently 
> >> running). 
> >> 
> >> Other than that, OSSEC should send all alerts. 
> >> 
> >> > Last question: 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> >> > (forwarding database). 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> >> > (pre-scan). 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time 
> file 
> >> > monitoring (not started). 
> >> > 
> >> > Which service is not started?  the doc says the package inotify 
> should 
> >> > be 
> >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> >> > 
> >> 
> >> That doesn't indicate that a service hasn't started, just that the 
> >> realtime feature hasn't started working yet. 
> >> There's a delay for realtime to start. 
> >> 
> >> > Thank you very much!! 
> >> > Regards 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> >> > escribió: 
> >> >> 
> >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic <netwar...@gmail.com> 
> >> >> wrote: 
> >> >> > 
> >> >> > Hi 
> >> >> > Let's see, shouldn't I have to configure on each tag to which 
> >> >> > directory 
> >> >> > I 
> >> >> > want to apply it? as in check_all , directories,  realtime and 
> which 
> >> >> > directories, or are they global parameters? that's why I included 
> >> >> > home 
> >> >> > and 
> >> >> > root on both of them. 
> >> >> > 
> >> >> 
> >> >> 
> >> >> Each option applies to the directories configured in it. 
> >> >> 
> >> >> > <directories 
> >> >> > 
> >> >> > 
> >> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories> 
>
> >> >> > 
> >> >> 
> >> >> This checks all of the hashes, owner, and permissions. 
> >> >> 
> >> >> >  <directories realtime="yes" 
> >> >> > check_all="yes">/root,/home,/etc</directories> 
> >> >> > 
> >> >> 
> >> >> This does realtime checks of all of the above, and should produce an 
> >> >> error because the "/root," "/home," and "/etc" directories are 
> >> >> duplicated. 
> >> >> Duplication of directories can cause issues, so it's best not to do 
> >> >> it. The way to solve this is not to duplicate these directories in 
> the 
> >> >> second configuration by not including them in the first. 
> >> >> For example: 
> >> >> 
> >> >> <directories 
> >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> >> <directories check_all="yes" 
> >> >> realtime="yes">/root,/home,/etc</directories> 
> >> >> 
> >> >> Now, if you want to add "report_changes" to /etc, you'll have to 
> >> >> remove it from the above configuration. You'll end up with: 
> >> >> 
> >> >> <directories 
> >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories> 
> >> >> <directories check_all="yes" 
> realtime="yes">/root,/home</directories> 
> >> >> <directories check_all="yes" realtime="yes" 
> >> >> report_changes="yes">/etc</directories> 
> >> >> 
> >> >> > 
> >> >> > Thank you very much 
> >> >> > Best Regerds 
> >> >> > 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to