[ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore

Tue, 31 Jan 2017 04:07:20 -0800 

Hi,

I am unable to make <auto_ignore> work on our OSSEC instance for few
directories which are set for Real Time monitoring. OSSEC Agent version is
2.8.3 and server is currently on 2.8.1.

I have tried to set <auto_ignore>no</auto_ignore> on both server and the
agent, but OSSEC still keeps ignoring the checksum change after 3rd time.

Here is the directory monitoring configuration:

    <frequency>79200</frequency>
    <directories check_all="yes">/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    *<directories realtime="yes" check_all="yes">/root,/etc</directories>*
    *<auto_ignore>no</auto_ignore>*


And the file we are trying to monitor is /etc/odbcnew.ini

When I check for the file changes, OSSEC always stops after 3rd change. I
can reset it manually but it'll stop again eventually after next 3 changes.

2017 Jan 31 06:44:24,0 - /etc/odbcnew.ini
File changed. - 1st time modified.
Integrity checking values:
   Size: >682
   Perm: rw-------
   Uid:  0
   Gid:  0
   Md5:  >bc47acc61dd3ac8f88d8a1197e3e9b1a
   Sha1: >02d20920310be144261d897d90d906e86a90225f

2017 Jan 31 06:47:15,2 - /etc/odbcnew.ini
File changed. - 2nd time modified.
Integrity checking values:
   Size: >770
   Perm: rw-------
   Uid:  0
   Gid:  0
   Md5:  >087e76a102721db3c7218acb978720b2
   Sha1: >f5437d9ede1d2bb41cafbefce922d1c5997a3c13

2017 Jan 31 06:47:16,3 - /etc/odbcnew.ini
File changed. - 3rd time modified.
Integrity checking values:
   Size: >792
   Perm: rw-------
   Uid:  0
   Gid:  0
   Md5:  >0ba151babde2a5adf64fb25b67628e9b
   Sha1: >266ff0c7ae1b19897046041da3df2beb598a1663

I found an old thread referring to making a source code change for
temporarily resolve this issue. Is that change still needed in the latest
versions?
https://groups.google.com/forum/#!topic/ossec-list/qk8Ch6DEIqk

On another thread, one example shows that OSSEC still records the fact that
a file is being ignored.
https://groups.google.com/forum/#!topic/ossec-list/qNnjYZGsWCs



*2008 Jun 26 22:48:26,4 - /etc/squid/squid.conf    File changed. - Being
ignored (3 or more changes).*

We do not get this message. Does that mean agent itself is not sending the
changes after 3rd time?


Kindly assist

Thanks,

~ Abhi

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to