[ossec-list] Alerting on new files in monitored directory does not work on all ossec 2.9.2 agents.

Mon, 23 Oct 2017 09:18:57 -0700 

Dear community,

Ossec 2.9.2 is used for all installs. I created an ansible playbook to 
deploy ossec to agents, and this worked fine. But suddenly stopped working.

The setup is one ossec server with less than 10 agents, were a few of the 
clients works as intended in regards to alerting on file changes and on new 
files. All instances using ossec 2.9.2.


Agent config if propagated ok to all agents from server:

<agent_config>
  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>21600</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes" report_changes="yes" 
realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes" report_changes="yes" 
realtime="yes">/bin,/sbin</directories>
    <directories check_all="yes" report_changes="yes" 
realtime="yes">/test</directories>
    <directories check_all="yes" report_changes="yes" 
realtime="yes">/agenttest</directories>

    <scan_on_start>yes</scan_on_start>
    <alert_new_files>yes</alert_new_files>

  </syscheck>

</agent_config>

So, what I want to happen is that if a file is added to /agenttest, the 
next time a syscheck is run, then an alert is raised.

I added this to /var/ossec/rules/local_rules.xml on the manager before the 
</group> tag:

<rule id="554" level="11" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

Now, this works as expected on some of the clients, but not all. 

/var/ossec/bin/agent_control -lc shows all clients as active.

Also for all instances, "/var/ossec/queue/syscheck" on the manager is 
updated.

cat *IPADDRESS* | grep agenttest shows checksums of files I want to have an 
alert for, but an alert is not raised on all agents.

I have added to /var/ossec/etc/local_internal_options.conf to make syscheck 
run faster for testing purposes:

syscheck.sleep=1
syscheck.sleep_after=150


Any clue as to why it would not work on newly deployed agents but syscheck 
database still being updated?

Best regards,

PR














-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to