On Thursday, September 28, 2017 at 8:47:11 AM UTC-6, dan (ddpbsd) wrote: > > On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar <[email protected] <javascript:>> > wrote: > > Something I forgot to put in the original email, this is an RHEL7 VM, > Linux > > xxxxxx.xxxxxx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 > 03:55:24 > > EDT 2017 x86_64 x86_64 x86_64 GNU/Linux > > > > On Wednesday, September 27, 2017 at 6:41:01 AM UTC-6, dan (ddpbsd) > wrote: > >> > > > > > > That solved the problem. It seems odd that the default settings cause > > errors, but, oh well. > > > > The default settings do not cause errors, there is no agent.conf by > default (or at least not a populated one, I can't remember). > > >> > > > > > > Actually, I found that there is an option for turning rootcheck and > syscheck > > off, which was set to do so. Again, weird default behaviour. > > > > I have never had this happen by default. >
Installed from source, 2.9.1, hybrid mode, /var/ossec/ossec-agent/etc/ossec.conf has syscheck and rootcheck disabled by default. > > But from the way <directories> sounds, would I be correct in guessing > that > > if I don't configure those, I won't actually be rootchecking or > syschecking > > anything? Do you have any documentation that says how to configure it? > The > > page on ossec.conf doesn't mention a directories option. > > > > https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html > <https://www.google.com/url?q=https%3A%2F%2Fossec.github.io%2Fdocs%2Fsyntax%2Fhead_ossec_config.syscheck.html&sa=D&sntz=1&usg=AFQjCNHVhr0_BLrZIV9FMkmSxwqC3pO2Bg> > > has information on how to setup <directories>. > How did you install OSSEC? There are some directories setup by default. > I installed OSSEC by downloading the source from ossec.github.io, and then following the instructions here: https://ossec.github.io/docs/manual/installation/install-source.html As I say, I installed in hybrid mode. Do you set up the <directories> directives in the server config or the agent config? > >> > Lastly, I'm getting an email from the system every hour that has > >> > messages > >> > from every few seconds of the format: > >> > OSSEC HIDS Notification. > >> > 2017 Sep 22 14:41:01 > >> > > >> > Received From: (avtest) > >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51 > >> > Rule: 503 fired (level 3) -> "Ossec agent started." > >> > Portion of the log(s): > >> > > >> > ossec: Agent started: 'avtest->10.234.199.51'. > >> > > >> > > >> > > >> > --END OF NOTIFICATION > >> > > >> > I don't know why it's telling me that the agent has started every 5 > >> > seconds > >> > or so, unless the agent is restarting every 5 seconds or so. And if > the > >> > agent is restarting every 5 seconds or so, I want to make it *stop*. > :D > >> > > >> > >> Never seen that issue, you can check the agent's ossec.log for clues > >> as to what is happening. > > > > > > > > Sadly, no clues there. If it really is restarting every 5 seconds, it's > not > > logging it. > > > > So, where is the log that the emails are generated from? :) > > > > Generally alerts.log, I believe. > OK, I've definitely got multiple events in that log which show basically the same alert, repeatedly. So that's where the email is coming from. But... any ideas on how to make it stop? ** Alert 1506578400.0: mail - ossec, 2017 Sep 28 00:00:00 (avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'avtest->10.234.199.51'. ** Alert 1506578444.3037: mail - ossec, 2017 Sep 28 00:00:44 (avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'avtest->10.234.199.51'. ** Alert 1506578458.6137: mail - ossec, 2017 Sep 28 00:00:58 (avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 Rule: 503 (level 3) -> 'Ossec agent started.' ossec: Agent started: 'avtest->10.234.199.51'. And so forth. Thanks in advance, -Sandro -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
