Re: [ossec-list] Problem with alerting file changes and checksum integrity
On Sun, Jun 14, 2020 at 2:57 AM John Goh wrote: > > So I should just leave the IDS running for a period of time and it will log > in real-time? > It's supposed to. > The only changes that the IDS currently logs are like files in etc and > Mozilla cache. Nothing else in particular on those directories specified. > Check the ossec.log for log messages related to those directories by ossec-syscheckd. You can even kill ossec-syscheckd and run it again in debug (pkill ossec-syscheckd && /var/ossec/bin/ossec-syscheckd -d) to increase the logging. Also check the syscheck db (/var/ossec/queue/syscheck/ has the syscheck databases, they're named after the agents) to see if files in the directories you specified are there. > On Sunday, June 14, 2020 at 4:33:43 AM UTC+8, dan (ddpbsd) wrote: >> >> On Sat, Jun 13, 2020 at 7:41 AM John Goh wrote: >> > >> > Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying >> > to detect certain file creation or changes in realtime but I do not see it >> > being reflected in the OSSEC web interface. The OSSEC is being deployed in >> > a local environment on Ubuntu 18.4.04 LTS. The rule I have for code >> > creation is: >> > >> > ossec >> > syscheck_new_entry >> > File added to the system. >> > syscheck, >> > >> > >> > The rule works as random file creation has been logging but it does not >> > work for the specific directories that I have specified. The code below is >> > the specified directories that I want to monitor. Even when I gave the >> > attribute "realtime" it does not reflect on the logs when i changed it. >> > >> > no >> > 180 >> > yes >> > >> > >> > /etc,/usr/bin,/usr/sbin >> > /bin,/sbin,/boot >> > > > check_all="yes">/home/ubuntu/Downloads >> > > > check_all="yes">/home/ubuntu/Desktop,/home/ubuntu >> > > > check_all="yes">/home/ubuntu/Downloads/active.txt >> > Even when i force scan by using the following command: >> > /var/ossec/bin/agent_control -r -u 000 >> > it does not work, for some reason, it keeps on stating that: "INFO: >> > Initializing real-time file monitoring (not started)." >> > >> >> This message is normal, realtime should be started sometime after this. >> >> > I'm lost and I do not know what is wrong, can anybody help me with this >> > issue? >> > >> >> I can't remember if realtime was changed to alert on new files or not. >> At one point it did not. >> Do changes to the files in those directories get alerted on automatically? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec...@googlegroups.com. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/6d9c7c7d-722c-47e1-80cb-3dc571621927o%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpjkjTVvAPq0o-qTiSJNFs5yfL-KGP_7ru4esjq2D%2BzXQ%40mail.gmail.com.
Re: [ossec-list] Problem with alerting file changes and checksum integrity
So I should just leave the IDS running for a period of time and it will log in real-time? The only changes that the IDS currently logs are like files in etc and Mozilla cache. Nothing else in particular on those directories specified. On Sunday, June 14, 2020 at 4:33:43 AM UTC+8, dan (ddpbsd) wrote: > > On Sat, Jun 13, 2020 at 7:41 AM John Goh > > wrote: > > > > Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been > trying to detect certain file creation or changes in realtime but I do not > see it being reflected in the OSSEC web interface. The OSSEC is being > deployed in a local environment on Ubuntu 18.4.04 LTS. The rule I have for > code creation is: > > > > ossec > > syscheck_new_entry > > File added to the system. > > syscheck, > > > > > > The rule works as random file creation has been logging but it does not > work for the specific directories that I have specified. The code below is > the specified directories that I want to monitor. Even when I gave the > attribute "realtime" it does not reflect on the logs when i changed it. > > > > no > > 180 > > yes > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin,/boot > > check_all="yes">/home/ubuntu/Downloads > > check_all="yes">/home/ubuntu/Desktop,/home/ubuntu > > check_all="yes">/home/ubuntu/Downloads/active.txt > > Even when i force scan by using the following command: > > /var/ossec/bin/agent_control -r -u 000 > > it does not work, for some reason, it keeps on stating that: "INFO: > Initializing real-time file monitoring (not started)." > > > > This message is normal, realtime should be started sometime after this. > > > I'm lost and I do not know what is wrong, can anybody help me with this > issue? > > > > I can't remember if realtime was changed to alert on new files or not. > At one point it did not. > Do changes to the files in those directories get alerted on automatically? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6d9c7c7d-722c-47e1-80cb-3dc571621927o%40googlegroups.com.
Re: [ossec-list] Problem with alerting file changes and checksum integrity
On Sat, Jun 13, 2020 at 7:41 AM John Goh wrote: > > Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying to > detect certain file creation or changes in realtime but I do not see it being > reflected in the OSSEC web interface. The OSSEC is being deployed in a local > environment on Ubuntu 18.4.04 LTS. The rule I have for code creation is: > > ossec > syscheck_new_entry > File added to the system. > syscheck, > > > The rule works as random file creation has been logging but it does not work > for the specific directories that I have specified. The code below is the > specified directories that I want to monitor. Even when I gave the attribute > "realtime" it does not reflect on the logs when i changed it. > > no > 180 > yes > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin,/boot > check_all="yes">/home/ubuntu/Downloads > check_all="yes">/home/ubuntu/Desktop,/home/ubuntu > check_all="yes">/home/ubuntu/Downloads/active.txt > Even when i force scan by using the following command: > /var/ossec/bin/agent_control -r -u 000 > it does not work, for some reason, it keeps on stating that: "INFO: > Initializing real-time file monitoring (not started)." > This message is normal, realtime should be started sometime after this. > I'm lost and I do not know what is wrong, can anybody help me with this issue? > I can't remember if realtime was changed to alert on new files or not. At one point it did not. Do changes to the files in those directories get alerted on automatically? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpxoigGzpk4ch_B7mNCqjz2hxYk-tQhw%2BM7c2J%2BLz1akw%40mail.gmail.com.
[ossec-list] Problem with alerting file changes and checksum integrity
Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying to detect certain file creation or changes in realtime but I do not see it being reflected in the OSSEC web interface. The OSSEC is being deployed in a local environment on Ubuntu 18.4.04 LTS. The rule I have for code creation is: ossec syscheck_new_entry File added to the system. syscheck, The rule works as random file creation has been logging but it does not work for the specific directories that I have specified. The code below is the specified directories that I want to monitor. Even when I gave the attribute "realtime" it does not reflect on the logs when i changed it. no 180 yes /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /home/ubuntu/Downloads /home/ubuntu/Desktop,/home/ubuntu /home/ubuntu/Downloads/active.txt Even when i force scan by using the following command: /var/ossec/bin/agent_control -r -u 000 it does not work, for some reason, it keeps on stating that: "INFO: Initializing real-time file monitoring (not started)." I'm lost and I do not know what is wrong, can anybody help me with this issue? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.
