Hi Mike, The *syscheck *module can be kind of noisy, especially when you have loads of agents registered. However, you can play with the rules a little bit in order to adapt this module to your necessities and be alerted of the events that are of greater importance for you. You can ignore some files that you know that change quite a lot and monitor in realtime the ones that do not.
Also, if you are concerned about not being alerted when the file was changed more than three times, you can change this option by changing *<auto_ignore>yes</auto_ignore>* for *<auto_ignore>no</auto_ignore>. *If you are unable to find this option in the *<syscheck> *module, add it, as this option is set to *yes* by default. I will leave you some information about File Integrity Monitoring for further information: - Syscheck configuration options: https://www.ossec.net/docs/manual/syscheck/index.html - How syscheck works: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html Let me know if you have any doubts. Regards, Yana. On Friday, February 19, 2021 at 8:20:55 PM UTC+1 mi...@free.law wrote: > > I'm looking for advice about improving the signal/noise ratio for syscheck > alerts. I just installed OSSEC and I'm loving it, but I know that if I > can't improve the signal to noise ratio of syscheck, I'll have to turn it > off. > > As an example, yesterday I got an alert that sudoedit had changed. This is > definitely from a OS update, and all the other alerts I've gotten from > syscheck have been too. I know I'm going to start ignoring these alerts. At > the same time, even if I'm vigilant, I'm concerned that once the OS updates > this file three times, it'll auto-ignore itself, effectively disabling the > system. Maybe that's OK, but it seems bad. > > I want to pay attention to syscheck alerts, I think they're an important > part of OSSEC (maybe not?), but I won't pay attention for long with this > level of noise. How do folks deal with this so that it's a useful feature > they don't just ignore in practice? Maybe the idea is to just keep a log of > the changes and rely on other things to alert you of an intruder? > > Mike > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/163d61fb-9fa3-48e3-8c0b-ef3b8827f27cn%40googlegroups.com.
