On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) <[email protected]> wrote: > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf <[email protected]> wrote: >> Is there documentation that explains what a glob is? This worked fine with >> 2.7. >> > > I don't think so. I just tried it on a 3.x system and didn't get the > error. Still waiting on results to see if it checks properly. > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>1800</frequency> > <auto_ignore>no</auto_ignore> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin,/boot</directories> > <directories check_all="yes">/var/test</directories> > <directories check_all="yes">/var/test2</directories> > <directories check_all="yes">/home/*/.ssh</directories> > > ix# grep home /var/ossec/logs/ossec.log > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ansible/.ssh', with options perm | size | owner | group | > md5sum | sha256sum. > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum > | sha256sum. >
Hit send too early, the files were successfully checked and catalogued on this system. > > And on a slightly older agent: > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin,/boot</directories> > <directories check_all="yes">/home/*/.ssh</directories> > > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > '/home/ansible/.ssh', with options perm | size | owner | group | > md5sum | sha1sum. > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > '/home/checker/.ssh', with options perm | size | owner | group | > md5sum | sha1sum. > > >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) <[email protected]> wrote: >>> >>> >>> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper <[email protected]> wrote: >>>> >>>> I am getting the following error from syscheckd when starting up OSSEC >>>> 2.9.3: >>>> >>>> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: >>>> 'sshd_rules.xml' >>>> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid >>>> pattern: '/home/*/.ssh'. >>>> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: >>>> 'sshd_rules.xml' >>>> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid >>>> pattern: '/home/*/.ssh/'. >>>> >>>> Inside of my ossec.conf file, I have this line, which seems to be >>>> generating the error: >>>> >>>> <directories check_all="yes">/home/*/.ssh/</directories> >>>> >>>> Any idea what is invalid about that pattern? >>>> >>>> -- >>> >>> >>> I don't think globs are valid in the syscheck configuration. >>> >>> >>>> >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
