On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar <[email protected]> wrote: > Hi, > > I am unable to make <auto_ignore> work on our OSSEC instance for few > directories which are set for Real Time monitoring. OSSEC Agent version is > 2.8.3 and server is currently on 2.8.1. >
Start by correcting this issue. > I have tried to set <auto_ignore>no</auto_ignore> on both server and the > agent, but OSSEC still keeps ignoring the checksum change after 3rd time. > This setting does nothing on the agent, AFAIK. > Here is the directory monitoring configuration: > > <frequency>79200</frequency> > <directories check_all="yes">/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > <directories realtime="yes" check_all="yes">/root,/etc</directories> > <auto_ignore>no</auto_ignore> > Make sure you restart the OSSEC processes on the server after making these changes. > > And the file we are trying to monitor is /etc/odbcnew.ini > > When I check for the file changes, OSSEC always stops after 3rd change. I > can reset it manually but it'll stop again eventually after next 3 changes. > > 2017 Jan 31 06:44:24,0 - /etc/odbcnew.ini > File changed. - 1st time modified. > Integrity checking values: > Size: >682 > Perm: rw------- > Uid: 0 > Gid: 0 > Md5: >bc47acc61dd3ac8f88d8a1197e3e9b1a > Sha1: >02d20920310be144261d897d90d906e86a90225f > > 2017 Jan 31 06:47:15,2 - /etc/odbcnew.ini > File changed. - 2nd time modified. > Integrity checking values: > Size: >770 > Perm: rw------- > Uid: 0 > Gid: 0 > Md5: >087e76a102721db3c7218acb978720b2 > Sha1: >f5437d9ede1d2bb41cafbefce922d1c5997a3c13 > > 2017 Jan 31 06:47:16,3 - /etc/odbcnew.ini > File changed. - 3rd time modified. > Integrity checking values: > Size: >792 > Perm: rw------- > Uid: 0 > Gid: 0 > Md5: >0ba151babde2a5adf64fb25b67628e9b > Sha1: >266ff0c7ae1b19897046041da3df2beb598a1663 > > I found an old thread referring to making a source code change for > temporarily resolve this issue. Is that change still needed in the latest > versions? > https://groups.google.com/forum/#!topic/ossec-list/qk8Ch6DEIqk > Not that I'm aware of. > On another thread, one example shows that OSSEC still records the fact that > a file is being ignored. > https://groups.google.com/forum/#!topic/ossec-list/qNnjYZGsWCs > > 2008 Jun 26 22:48:26,4 - /etc/squid/squid.conf > File changed. - Being ignored (3 or more changes). > > > We do not get this message. Does that mean agent itself is not sending the > changes after 3rd time? > The agent doesn't care how many times it's changed. It doesn't even really know the file has changed (unless there's an inotify event blah blah). I haven't noticed any issues with it, but I'll test it out a bit. > > Kindly assist > > Thanks, > > ~ Abhi > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
