Ok, I looked a bit more into this.
1. Baseline is set (initial scan done by syscheck)
2. Change detection is done by comparing all the checksums on each scan.
3. New file is detected by a file that is found but not existing in the
checksum database.
Excerpt from agent.conf:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 4 hours -->
<frequency>21600</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
</syscheck>
So why did the alerting work after the instances had been running
overnight? Is there any difference between the syscheck run (scan_on_start)
when restarting with "sudo /var/ossec/bin/ossec-control restart" and the
inbuilt syscheck scan?
On Monday, 23 October 2017 17:18:53 UTC+1, PR wrote:
>
>
> Dear community,
>
> Ossec 2.9.2 is used for all installs. I created an ansible playbook to
> deploy ossec to agents, and this worked fine. But suddenly stopped working.
>
> The setup is one ossec server with less than 10 agents, were a few of the
> clients works as intended in regards to alerting on file changes and on new
> files. All instances using ossec 2.9.2.
>
>
> Agent config if propagated ok to all agents from server:
>
> <agent_config>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 22 hours
> -->
> <frequency>21600</frequency>
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories check_all="yes" report_changes="yes"
> realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes" report_changes="yes"
> realtime="yes">/bin,/sbin</directories>
> <directories check_all="yes" report_changes="yes"
> realtime="yes">/test</directories>
> <directories check_all="yes" report_changes="yes"
> realtime="yes">/agenttest</directories>
>
> <scan_on_start>yes</scan_on_start>
> <alert_new_files>yes</alert_new_files>
>
> </syscheck>
>
> </agent_config>
>
> So, what I want to happen is that if a file is added to /agenttest, the
> next time a syscheck is run, then an alert is raised.
>
> I added this to /var/ossec/rules/local_rules.xml on the manager before the
> </group> tag:
>
> <rule id="554" level="11" overwrite="yes">
> <category>ossec</category>
> <decoded_as>syscheck_new_entry</decoded_as>
> <description>File added to the system.</description>
> <group>syscheck,</group>
> </rule>
>
> Now, this works as expected on some of the clients, but not all.
>
> /var/ossec/bin/agent_control -lc shows all clients as active.
>
> Also for all instances, "/var/ossec/queue/syscheck" on the manager is
> updated.
>
> cat *IPADDRESS* | grep agenttest shows checksums of files I want to have
> an alert for, but an alert is not raised on all agents.
>
> I have added to /var/ossec/etc/local_internal_options.conf to make
> syscheck run faster for testing purposes:
>
> syscheck.sleep=1
> syscheck.sleep_after=150
>
>
> Any clue as to why it would not work on newly deployed agents but syscheck
> database still being updated?
>
> Best regards,
>
> PR
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
