Hi Santiago, I just came across your post. Are you saying that the auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, the latter will eventually be placed on the Agent. I thought that /var/ossec/etc/ossec.conf (on the manager) only applied to syscheck settings locally (in this case, the manager) and that agent.conf would control what happens on the Agents. This is a little confusing.
On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote: > > Are you using scan_on_start option? Remember realtime won't work until > first syscheck is done. > > I also recommend to use alert_new_files and set auto_ignore to "no" (this > goes on the manager). > > Useful trobleshooting tip is to enable debug for syscheck on the agent > (internal_options.conf file) > > Best > > On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia <[email protected] > <javascript:>> wrote: > >> I've checked, I have the /usr/include/linux/inotify.h and I have >> -DUSEINOTIFY. >> >> I do have the "Real time file monitoring started.", which I simply didn't >> notice. >> >> However the problem is that it looks like real time notifications are >> working inconsistently, i.e: if I let's say "apt-get install ...some >> package, I get the notification right away, also when I restart OSSEC I get >> email immediately, BUT when I modify /etc/hosts or some other file that is >> with "realtime" parameter in "directories" then I only get a notification >> when ossec-syscheckd runs as scheduled. >> >> Any ideas? >> >> >> >> >> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote: >>> >>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall >>> file checks existence of a header file. Please see if your Ubuntu system >>> has one of the follwoing: >>> >>> # Checking for inotify >>> >>> if [ "X$OS" = "XLinux" ]; then >>> >>> if [ -e /usr/include/sys/inotify.h ]; then >>> >>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >>> >>> elif [ -e /usr/include/linux/inotify.h ]; then >>> >>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >>> >>> fi >>> >>> LUA_PLAT="posix" >>> >>> fi >>> >>> >>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation >>> directive. Please check it. >>> >>> Documentation is available at: >>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring >>> >>> Good luck! >>> >>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote: >>> >>> Hi Guys! >>>> I've installed and configured OSSEC to get real time notifications, but >>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real >>>> time notification. >>>> Scheduled notifications are working I receive events to my email. >>>> >>>> In addition documentation tells that in ossec.log there should be a >>>> line "Real time file monitoring started." which I never get. >>>> >>>> Please advise >>>> >>>> <global> >>>> <email_notification>yes</email_notification> >>>> <email_to>[email protected]</email_to> >>>> <smtp_server>mx.yandex.net.</smtp_server> >>>> <email_from>ossecm@myserver</email_from> >>>> </global> >>>> <!-- 550 changed, 553 deleted, 554 added --> >>>> <email_alerts> >>>> <email_to>[email protected]</email_to> >>>> <rule_id>550, 553, 554</rule_id> >>>> <do_not_delay /> >>>> </email_alerts> >>>> >>>> <!-- Directories to check (perform all possible verifications) --> >>>> <directories realtime="yes" >>>> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>> >>>> <alert_new_files>yes</alert_new_files> >>>> <scan_on_start>no</scan_on_start> >>>> <auto_ignore>no</auto_ignore> >>>> >>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
