On Fri, Oct 14, 2016 at 5:52 PM, Matt <sttwo...@gmail.com> wrote:
> Realtime monitoring seems to be working now that I've adjusted the scan
> frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now
> 20 minutes and realtime now seems to work. I don't claim it makes sense,
> it's just what I'm observing.
>
> Ok I've discovered that the config doesn't like this line. I modified it to
> reflect one of the others and it works.
>
>     <directories check_all="yes" report_changes="yes"
> realtime="yes">C:\TestOSS3</directories>
>
> And, I've realized it's also including multiple alerts in one email. I'd
> rather have one email per alert, at least a way to configure it. But I get
> this reduces the count of emails.
>

/var/ossec/etc/internal_options.conf
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1


>
>
> On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
>>
>> Hello,
>>
>> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
>> behaving consistently.
>>
>> First realtime monitoring simply isn't working. FIM only seem to work when
>> the scan runs, which I have set to 10 minutes for testing. Second I only
>> seem to get a fraction of the changes I've made. For testing I have 4
>> folder, and I make 2 changes in each folder, usually an edit and a delete
>> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I
>> received only alerts for 3 of those changes.
>>
>> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2.
>> The agent does say "INFO: Real time file monitoring started.".
>>
>> Following are the configs for the manager server and the agent server. Is
>> there something I am missing?
>>
>> Manager
>>
>> <ossec_config>
>>   <global>
>>     <email_notification>yes</email_notification>
>>     <email_maxperhour>500</email_maxperhour>
>>     <email_to>redac...@redacted.com</email_to>
>>     <smtp_server>redacted.redacted.com</smtp_server>
>>     <email_from>redac...@redacted.com</email_from>
>>     <logall>yes</logall>
>>   </global>
>>
>>
>> Agent, yes the lines are intentionally each a little different for the
>> directories to monitor while fiddling with this. If one is wrong please let
>> me know.
>>
>>   <!-- Syscheck - Integrity Checking config. -->
>>   <syscheck>
>>
>>     <!-- Default frequency, every 20 hours. It doesn't need to be higher
>>       -  on most systems and one a day should be enough.
>>       -->
>>     <frequency>600</frequency>
>>     <alert_new_files>yes</alert_new_files>
>>     <auto_ignore>no</auto_ignore>
>>     <!-- By default it is disabled. In the Install you must choose
>>       -  to enable it.
>>       -->
>>     <disabled>no</disabled>
>>
>>     <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
>>     <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
>>     <directories check_all="yes" report_changes="yes"
>> realtime="yes">C:\TestOSS3</directories>
>>     <directories realtime="yes" report_changes="yes"
>> check_all="yes">C:\TestOSS4</directories>
>>
>>     <!-- Default files to be monitored - system32 only. -->
>>     <directories check_all="yes">%WINDIR%/win.ini</directories>
>>     <directories check_all="yes">%WINDIR%/system.ini</directories>
>>
>> Thanks,
>> Matt
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to