On Fri, Oct 14, 2016 at 5:52 PM, Matt <[email protected]> wrote: > Realtime monitoring seems to be working now that I've adjusted the scan > frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now > 20 minutes and realtime now seems to work. I don't claim it makes sense, > it's just what I'm observing. > > Ok I've discovered that the config doesn't like this line. I modified it to > reflect one of the others and it works. > > <directories check_all="yes" report_changes="yes" > realtime="yes">C:\TestOSS3</directories> > > And, I've realized it's also including multiple alerts in one email. I'd > rather have one email per alert, at least a way to configure it. But I get > this reduces the count of emails. >
/var/ossec/etc/internal_options.conf # Maild grouping (0=disabled, 1=enabled) # Groups alerts within the same e-mail. maild.groupping=1 > > > On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: >> >> Hello, >> >> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't >> behaving consistently. >> >> First realtime monitoring simply isn't working. FIM only seem to work when >> the scan runs, which I have set to 10 minutes for testing. Second I only >> seem to get a fraction of the changes I've made. For testing I have 4 >> folder, and I make 2 changes in each folder, usually an edit and a delete >> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I >> received only alerts for 3 of those changes. >> >> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. >> The agent does say "INFO: Real time file monitoring started.". >> >> Following are the configs for the manager server and the agent server. Is >> there something I am missing? >> >> Manager >> >> <ossec_config> >> <global> >> <email_notification>yes</email_notification> >> <email_maxperhour>500</email_maxperhour> >> <email_to>[email protected]</email_to> >> <smtp_server>redacted.redacted.com</smtp_server> >> <email_from>[email protected]</email_from> >> <logall>yes</logall> >> </global> >> >> >> Agent, yes the lines are intentionally each a little different for the >> directories to monitor while fiddling with this. If one is wrong please let >> me know. >> >> <!-- Syscheck - Integrity Checking config. --> >> <syscheck> >> >> <!-- Default frequency, every 20 hours. It doesn't need to be higher >> - on most systems and one a day should be enough. >> --> >> <frequency>600</frequency> >> <alert_new_files>yes</alert_new_files> >> <auto_ignore>no</auto_ignore> >> <!-- By default it is disabled. In the Install you must choose >> - to enable it. >> --> >> <disabled>no</disabled> >> >> <directories check_all="yes" realtime="yes">C:\TestOSS1</directories> >> <directories realtime="yes" check_all="yes">C:\TestOSS2</directories> >> <directories check_all="yes" report_changes="yes" >> realtime="yes">C:\TestOSS3</directories> >> <directories realtime="yes" report_changes="yes" >> check_all="yes">C:\TestOSS4</directories> >> >> <!-- Default files to be monitored - system32 only. --> >> <directories check_all="yes">%WINDIR%/win.ini</directories> >> <directories check_all="yes">%WINDIR%/system.ini</directories> >> >> Thanks, >> Matt >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
