On Thu, Sep 28, 2017 at 11:58 AM, Oh Ar <[email protected]> wrote: > > > On Thursday, September 28, 2017 at 8:47:11 AM UTC-6, dan (ddpbsd) wrote: >> >> On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar <[email protected]> wrote: >> > Something I forgot to put in the original email, this is an RHEL7 VM, >> > Linux >> > xxxxxx.xxxxxx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 >> > 03:55:24 >> > EDT 2017 x86_64 x86_64 x86_64 GNU/Linux >> > >> > On Wednesday, September 27, 2017 at 6:41:01 AM UTC-6, dan (ddpbsd) >> > wrote: >> >> >> > >> > >> > That solved the problem. It seems odd that the default settings cause >> > errors, but, oh well. >> > >> >> The default settings do not cause errors, there is no agent.conf by >> default (or at least not a populated one, I can't remember). >> >> >> >> > >> > >> > Actually, I found that there is an option for turning rootcheck and >> > syscheck >> > off, which was set to do so. Again, weird default behaviour. >> > >> >> I have never had this happen by default. > > > Installed from source, 2.9.1, hybrid mode, > /var/ossec/ossec-agent/etc/ossec.conf has syscheck and rootcheck disabled by > default. >
Oh, ok. That makes sense. The ossec processes in /var/ossec handle it instead. No reason to run it twice. >> >> > But from the way <directories> sounds, would I be correct in guessing >> > that >> > if I don't configure those, I won't actually be rootchecking or >> > syschecking >> > anything? Do you have any documentation that says how to configure it? >> > The >> > page on ossec.conf doesn't mention a directories option. >> > >> >> https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html >> has information on how to setup <directories>. >> How did you install OSSEC? There are some directories setup by default. > > > I installed OSSEC by downloading the source from ossec.github.io, and then > following the instructions here: > https://ossec.github.io/docs/manual/installation/install-source.html > > As I say, I installed in hybrid mode. Do you set up the <directories> > directives in the server config or the agent config? > In that case it's in the server config. The OSSEC server reports to itself. Setting it up in the agent configuration (/var/ossec/ossec-agent or whatever) would cause it to report syscheck to the upstream server only. >> >> >> > Lastly, I'm getting an email from the system every hour that has >> >> > messages >> >> > from every few seconds of the format: >> >> > OSSEC HIDS Notification. >> >> > 2017 Sep 22 14:41:01 >> >> > >> >> > Received From: (avtest) >> >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> >> > 10.234.199.51 >> >> > Rule: 503 fired (level 3) -> "Ossec agent started." >> >> > Portion of the log(s): >> >> > >> >> > ossec: Agent started: 'avtest->10.234.199.51'. >> >> > >> >> > >> >> > >> >> > --END OF NOTIFICATION >> >> > >> >> > I don't know why it's telling me that the agent has started every 5 >> >> > seconds >> >> > or so, unless the agent is restarting every 5 seconds or so. And if >> >> > the >> >> > agent is restarting every 5 seconds or so, I want to make it *stop*. >> >> > :D >> >> > >> >> >> >> Never seen that issue, you can check the agent's ossec.log for clues >> >> as to what is happening. >> > >> > >> > >> > Sadly, no clues there. If it really is restarting every 5 seconds, it's >> > not >> > logging it. >> > >> > So, where is the log that the emails are generated from? :) >> > >> >> Generally alerts.log, I believe. > > > OK, I've definitely got multiple events in that log which show basically the > same alert, repeatedly. So that's where the email is coming from. But... > any ideas on how to make it stop? > No clue. Restart the agent? Reinstall the agent? Turn on the logall option on the server and see if it really is getting a log message that triggers the agent restarted alert? > ** Alert 1506578400.0: mail - ossec, > 2017 Sep 28 00:00:00 (avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 > Rule: 503 (level 3) -> 'Ossec agent started.' > ossec: Agent started: 'avtest->10.234.199.51'. > > ** Alert 1506578444.3037: mail - ossec, > 2017 Sep 28 00:00:44 (avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 > Rule: 503 (level 3) -> 'Ossec agent started.' > ossec: Agent started: 'avtest->10.234.199.51'. > > ** Alert 1506578458.6137: mail - ossec, > 2017 Sep 28 00:00:58 (avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 > Rule: 503 (level 3) -> 'Ossec agent started.' > ossec: Agent started: 'avtest->10.234.199.51'. > > And so forth. > > Thanks in advance, > > -Sandro > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
