Realtime monitoring seems to be working now that I've adjusted the scan
frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's
now 20 minutes and realtime now seems to work. I don't claim it makes
sense, it's just what I'm observing.
Ok I've discovered that the config doesn't like this line. I modified it to
reflect one of the others and it works.
<directories check_all="yes" report_changes="yes"
realtime="yes">C:\TestOSS3</directories>
And, I've realized it's also including multiple alerts in one email. I'd
rather have one email per alert, at least a way to configure it. But I get
this reduces the count of emails.
On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
> Hello,
>
> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
> behaving consistently.
>
> First realtime monitoring simply isn't working. FIM only seem to work when
> the scan runs, which I have set to 10 minutes for testing. Second I only
> seem to get a fraction of the changes I've made. For testing I have 4
> folder, and I make 2 changes in each folder, usually an edit and a delete
> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I
> received only alerts for 3 of those changes.
>
> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2.
> The agent does say "INFO: Real time file monitoring started.".
>
> Following are the configs for the manager server and the agent server. Is
> there something I am missing?
>
> Manager
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_maxperhour>500</email_maxperhour>
> <email_to>[email protected]</email_to>
> <smtp_server>redacted.redacted.com</smtp_server>
> <email_from>[email protected]</email_from>
> <logall>yes</logall>
> </global>
>
> Agent, yes the lines are intentionally each a little different for the
> directories to monitor while fiddling with this. If one is wrong please let
> me know.
>
> <!-- Syscheck - Integrity Checking config. -->
> <syscheck>
>
> <!-- Default frequency, every 20 hours. It doesn't need to be higher
> - on most systems and one a day should be enough.
> -->
> <frequency>600</frequency>
> <alert_new_files>yes</alert_new_files>
> <auto_ignore>no</auto_ignore>
> <!-- By default it is disabled. In the Install you must choose
> - to enable it.
> -->
> <disabled>no</disabled>
>
> <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
> <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
> <directories check_all="yes" report_changes="yes"
> realtime="yes">C:\TestOSS3</directories>
> <directories realtime="yes" report_changes="yes"
> check_all="yes">C:\TestOSS4</directories>
>
> <!-- Default files to be monitored - system32 only. -->
> <directories check_all="yes">%WINDIR%/win.ini</directories>
> <directories check_all="yes">%WINDIR%/system.ini</directories>
>
> Thanks,
> Matt
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
