Update: After leaving it running over night the alerting on newly created files in monitored directories works on the instances were it did not work the day before. No config changes done, it's was just left running.
Anyone having any input as to why this behavior is observed? On Monday, 23 October 2017 17:18:53 UTC+1, PR wrote: > > > Dear community, > > Ossec 2.9.2 is used for all installs. I created an ansible playbook to > deploy ossec to agents, and this worked fine. But suddenly stopped working. > > The setup is one ossec server with less than 10 agents, were a few of the > clients works as intended in regards to alerting on file changes and on new > files. All instances using ossec 2.9.2. > > > Agent config if propagated ok to all agents from server: > > <agent_config> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes" report_changes="yes" > realtime="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes" report_changes="yes" > realtime="yes">/bin,/sbin</directories> > <directories check_all="yes" report_changes="yes" > realtime="yes">/test</directories> > <directories check_all="yes" report_changes="yes" > realtime="yes">/agenttest</directories> > > <scan_on_start>yes</scan_on_start> > <alert_new_files>yes</alert_new_files> > > </syscheck> > > </agent_config> > > So, what I want to happen is that if a file is added to /agenttest, the > next time a syscheck is run, then an alert is raised. > > I added this to /var/ossec/rules/local_rules.xml on the manager before the > </group> tag: > > <rule id="554" level="11" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > Now, this works as expected on some of the clients, but not all. > > /var/ossec/bin/agent_control -lc shows all clients as active. > > Also for all instances, "/var/ossec/queue/syscheck" on the manager is > updated. > > cat *IPADDRESS* | grep agenttest shows checksums of files I want to have > an alert for, but an alert is not raised on all agents. > > I have added to /var/ossec/etc/local_internal_options.conf to make > syscheck run faster for testing purposes: > > syscheck.sleep=1 > syscheck.sleep_after=150 > > > Any clue as to why it would not work on newly deployed agents but syscheck > database still being updated? > > Best regards, > > PR > > > > > > > > > > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
