subject:"\[ossec\-list\] Agent Duplicate Folders Message"

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-14 Thread Kernel Panic

The server I'm using for testing went down, as soon as I get it back I'm 
gonna review it.

Thank you very much for your help, relly appreciated
Regards


El viernes, 14 de octubre de 2016, 10:26:53 (UTC-3), dan (ddpbsd) escribió:
>
> On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic  > wrote: 
> > Taking a look in /var/ossec/logs/alerts I can see there are lots of 
> things 
> > registered, no related to the files I modified, but related to ssh login 
> > failures, sudo stuff and the like but never get an e-mail with that 
> report. 
> > 
>
> Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? 
> Do you have alert_new_files turned on in the OSSEC server's ossec.conf? 
> Did you modify the rule that alerts on new files to raise the level to 
> something greater than 0? 
> Did you restart the OSSEC processes on the OSSEC server after making 
> these changes? 
>
> > Thank you very much for your time and support 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  
> wrote: 
> >> > Hi 
> >> > Does this still apply? 
> >> > I have this option enabled: yes 
> along 
> >> > with the realtime=yes. 
> >> > 
> >> > From another post on the list: 
> >> >>In the past new files were not alerted in real time. I'm not sure if 
> >> >>this has changed. Any of the developers know? 
> >> > 
> >> 
> >> Was there a response to this post? I don't think it's changed, but I'm 
> >> sure I miss commits here and there. 
> >> 
> >> > 
> >> > Another question , by reading this 
> >> > 
> >> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> >> > I can see that there are values that can be adjusted, for example 
> host 
> >> > information, by default 8, how do I interpret that, there greater the 
> >> > number 
> >> > more verbose? I just made some modification under  /etc, created some 
> >> > file 
> >> 
> >> That would be the alert level. It does not change verbosity, just the 
> >> level of the alert. 
> >> 
> >> > modified other just to test, but still have no e-mail, I'm only 
> getting 
> >> > an 
> >> > e-mail regarding a service log and nothing else, which is the 
> parameter 
> >> > to 
> >> > tell ossec to send all the issues? 
> >> > 
> >> 
> >> For the new file, you probably need a full syscheck scan for it to be 
> >> picked up. 
> >> For the modified file, if it's already in the syscheck db, you should 
> >> be alerted relatively quickly (if realtime is enabled and currently 
> >> running). 
> >> 
> >> Other than that, OSSEC should send all alerts. 
> >> 
> >> > Last question: 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> >> > (forwarding database). 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> >> > (pre-scan). 
> >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time 
> file 
> >> > monitoring (not started). 
> >> > 
> >> > Which service is not started?  the doc says the package inotify 
> should 
> >> > be 
> >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> >> > 
> >> 
> >> That doesn't indicate that a service hasn't started, just that the 
> >> realtime feature hasn't started working yet. 
> >> There's a delay for realtime to start. 
> >> 
> >> > Thank you very much!! 
> >> > Regards 
> >> > 
> >> > 
> >> > 
> >> > 
> >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> >> > escribió: 
> >> >> 
> >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  
> >> >> wrote: 
> >> >> > 
> >> >> > Hi 
> >> >> > Let's see, shouldn't I have to configure on each tag to which 
> >> >> > directory 
> >> >> > I 
> >> >> > want to apply it? as in check_all , directories,  realtime and 
> which 
> >> >> > directories, or are they global parameters? that's why I included 
> >> >> > home 
> >> >> > and 
> >> >> > root on both of them. 
> >> >> > 
> >> >> 
> >> >> 
> >> >> Each option applies to the directories configured in it. 
> >> >> 
> >> >> >  >> >> > 
> >> >> > 
> >> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin 
>
> >> >> > 
> >> >> 
> >> >> This checks all of the hashes, owner, and permissions. 
> >> >> 
> >> >> >   >> >> > check_all="yes">/root,/home,/etc 
> >> >> > 
> >> >> 
> >> >> This does realtime checks of all of the above, and should produce an 
> >> >> error because the "/root," "/home," and "/etc" directories are 
> >> >> duplicated. 
> >> >> Duplication of directories can cause issues, so it's best not to do 
> >> >> it. The way to solve this is not to duplicate these directories in 
> the 
> >> >> second configuration by not including them in the first. 
> >> >> For example: 
> >> >> 
> >> >>  >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin 
> >> >>  >> >> realtime="yes">/root,/home,/etc 
> >> >> 
> >> >> Now, if you want to add

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-14 Thread dan (ddp)

On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic  wrote:
> Taking a look in /var/ossec/logs/alerts I can see there are lots of things
> registered, no related to the files I modified, but related to ssh login
> failures, sudo stuff and the like but never get an e-mail with that report.
>

Are the files in the syscheck db (/var/ossec/queue/syscheck/something)?
Do you have alert_new_files turned on in the OSSEC server's ossec.conf?
Did you modify the rule that alerts on new files to raise the level to
something greater than 0?
Did you restart the OSSEC processes on the OSSEC server after making
these changes?

> Thank you very much for your time and support
> Regards
>
>
>
>
> El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>>
>> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  wrote:
>> > Hi
>> > Does this still apply?
>> > I have this option enabled: yes along
>> > with the realtime=yes.
>> >
>> > From another post on the list:
>> >>In the past new files were not alerted in real time. I'm not sure if
>> >>this has changed. Any of the developers know?
>> >
>>
>> Was there a response to this post? I don't think it's changed, but I'm
>> sure I miss commits here and there.
>>
>> >
>> > Another question , by reading this
>> >
>> > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>> > I can see that there are values that can be adjusted, for example host
>> > information, by default 8, how do I interpret that, there greater the
>> > number
>> > more verbose? I just made some modification under  /etc, created some
>> > file
>>
>> That would be the alert level. It does not change verbosity, just the
>> level of the alert.
>>
>> > modified other just to test, but still have no e-mail, I'm only getting
>> > an
>> > e-mail regarding a service log and nothing else, which is the parameter
>> > to
>> > tell ossec to send all the issues?
>> >
>>
>> For the new file, you probably need a full syscheck scan for it to be
>> picked up.
>> For the modified file, if it's already in the syscheck db, you should
>> be alerted relatively quickly (if realtime is enabled and currently
>> running).
>>
>> Other than that, OSSEC should send all alerts.
>>
>> > Last question:
>> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan
>> > (forwarding database).
>> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database
>> > (pre-scan).
>> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file
>> > monitoring (not started).
>> >
>> > Which service is not started?  the doc says the package inotify should
>> > be
>> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64
>> >
>>
>> That doesn't indicate that a service hasn't started, just that the
>> realtime feature hasn't started working yet.
>> There's a delay for realtime to start.
>>
>> > Thank you very much!!
>> > Regards
>> >
>> >
>> >
>> >
>> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd)
>> > escribió:
>> >>
>> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic 
>> >> wrote:
>> >> >
>> >> > Hi
>> >> > Let's see, shouldn't I have to configure on each tag to which
>> >> > directory
>> >> > I
>> >> > want to apply it? as in check_all , directories,  realtime and which
>> >> > directories, or are they global parameters? that's why I included
>> >> > home
>> >> > and
>> >> > root on both of them.
>> >> >
>> >>
>> >>
>> >> Each option applies to the directories configured in it.
>> >>
>> >> > > >> >
>> >> >
>> >> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
>> >> >
>> >>
>> >> This checks all of the hashes, owner, and permissions.
>> >>
>> >> >  > >> > check_all="yes">/root,/home,/etc
>> >> >
>> >>
>> >> This does realtime checks of all of the above, and should produce an
>> >> error because the "/root," "/home," and "/etc" directories are
>> >> duplicated.
>> >> Duplication of directories can cause issues, so it's best not to do
>> >> it. The way to solve this is not to duplicate these directories in the
>> >> second configuration by not including them in the first.
>> >> For example:
>> >>
>> >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin
>> >> > >> realtime="yes">/root,/home,/etc
>> >>
>> >> Now, if you want to add "report_changes" to /etc, you'll have to
>> >> remove it from the above configuration. You'll end up with:
>> >>
>> >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin
>> >> /root,/home
>> >> > >> report_changes="yes">/etc
>> >>
>> >> >
>> >> > Thank you very much
>> >> > Best Regerds
>> >> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-14 Thread Kernel Panic

Taking a look in /var/ossec/logs/alerts I can see there are lots of things 
registered, no related to the files I modified, but related to ssh login 
failures, sudo stuff and the like but never get an e-mail with that report.

Thank you very much for your time and support
Regards




El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  > wrote: 
> > Hi 
> > Does this still apply? 
> > I have this option enabled: yes along 
> > with the realtime=yes. 
> > 
> > From another post on the list: 
> >>In the past new files were not alerted in real time. I'm not sure if 
> >>this has changed. Any of the developers know? 
> > 
>
> Was there a response to this post? I don't think it's changed, but I'm 
> sure I miss commits here and there. 
>
> > 
> > Another question , by reading this 
> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> > I can see that there are values that can be adjusted, for example host 
> > information, by default 8, how do I interpret that, there greater the 
> number 
> > more verbose? I just made some modification under  /etc, created some 
> file 
>
> That would be the alert level. It does not change verbosity, just the 
> level of the alert. 
>
> > modified other just to test, but still have no e-mail, I'm only getting 
> an 
> > e-mail regarding a service log and nothing else, which is the parameter 
> to 
> > tell ossec to send all the issues? 
> > 
>
> For the new file, you probably need a full syscheck scan for it to be 
> picked up. 
> For the modified file, if it's already in the syscheck db, you should 
> be alerted relatively quickly (if realtime is enabled and currently 
> running). 
>
> Other than that, OSSEC should send all alerts. 
>
> > Last question: 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
> > monitoring (not started). 
> > 
> > Which service is not started?  the doc says the package inotify should 
> be 
> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> > 
>
> That doesn't indicate that a service hasn't started, just that the 
> realtime feature hasn't started working yet. 
> There's a delay for realtime to start. 
>
> > Thank you very much!! 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  
> wrote: 
> >> > 
> >> > Hi 
> >> > Let's see, shouldn't I have to configure on each tag to which 
> directory 
> >> > I 
> >> > want to apply it? as in check_all , directories,  realtime and which 
> >> > directories, or are they global parameters? that's why I included 
> home 
> >> > and 
> >> > root on both of them. 
> >> > 
> >> 
> >> 
> >> Each option applies to the directories configured in it. 
> >> 
> >> >  >> > 
> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin 
>
> >> > 
> >> 
> >> This checks all of the hashes, owner, and permissions. 
> >> 
> >> >   >> > check_all="yes">/root,/home,/etc 
> >> > 
> >> 
> >> This does realtime checks of all of the above, and should produce an 
> >> error because the "/root," "/home," and "/etc" directories are 
> >> duplicated. 
> >> Duplication of directories can cause issues, so it's best not to do 
> >> it. The way to solve this is not to duplicate these directories in the 
> >> second configuration by not including them in the first. 
> >> For example: 
> >> 
> >>  check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin 
> >>  realtime="yes">/root,/home,/etc 
> >> 
> >> Now, if you want to add "report_changes" to /etc, you'll have to 
> >> remove it from the above configuration. You'll end up with: 
> >> 
> >>  check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin 
> >> /root,/home 
> >>  >> report_changes="yes">/etc 
> >> 
> >> > 
> >> > Thank you very much 
> >> > Best Regerds 
> >> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-14 Thread Kernel Panic

Hi there.
I'm still getting one alert e-mail type 2 eventhough I modified/created 
some files under /etc am I missing something else in the configuration?
This is the server coniguration.




  
yes
m...@company.com
localhost
oss...@server.com
100
yes
4096
   


  
rules_config.xml
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
arpwatch_rules.xml
symantec-av_rules.xml
symantec-ws_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
ms_ftpd_rules.xml
ftpd_rules.xml
hordeimp_rules.xml
roundcube_rules.xml
wordpress_rules.xml
cimserver_rules.xml
vpopmail_rules.xml
vmpop3d_rules.xml
courier_rules.xml
web_rules.xml
web_appsec_rules.xml
apache_rules.xml
nginx_rules.xml
php_rules.xml
mysql_rules.xml
postgresql_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
cisco-ios_rules.xml
netscreenfw_rules.xml
sonicwall_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
mailscanner_rules.xml
dovecot_rules.xml
ms-exchange_rules.xml
racoon_rules.xml
vpn_concentrator_rules.xml
spamd_rules.xml
msauth_rules.xml
mcafee_av_rules.xml
trend-osce_rules.xml
ms-se_rules.xml

zeus_rules.xml
solaris_bsm_rules.xml
vmware_rules.xml
ms_dhcp_rules.xml
asterisk_rules.xml
ossec_rules.xml
attack_rules.xml
local_rules.xml
  


  

3600
yes

 
 /boot,/etc,/root,/home,/bin,/sbin,/usr/bin,/usr/sbin


/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/adjtime
/etc/httpd/logs
  

  
3600
/var/ossec/etc/shared/rootkit_files.txt

/var/ossec/etc/shared/rootkit_trojans.txt
  

  
127.0.0.1
  

  
secure
  

  
1
7
  

  
host-deny
host-deny.sh
srcip
yes
  

  
firewall-drop
firewall-drop.sh
srcip
yes
  

  
disable-account
disable-account.sh
user
yes
  


  
  

host-deny
local
6
600
  

  

firewall-drop
local
6
600
  

  

  
syslog
/var/log/messages
  

  
syslog
/var/log/authlog
  

  
syslog
/var/log/secure
  

  
syslog
/var/log/xferlog
  

  
syslog
/var/log/maillog
  

  
apache
/var/www/logs/access_log
  

  
apache
/var/www/logs/error_log
  

 

 ZEBRA OSSEC Security Report For The Masses







Thank for your patience.

El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  > wrote: 
> > Hi 
> > Does this still apply? 
> > I have this option enabled: yes along 
> > with the realtime=yes. 
> > 
> > From another post on the list: 
> >>In the past new files were not alerted in real time. I'm not sure if 
> >>this has changed. Any of the developers know? 
> > 
>
> Was there a response to this post? I don't think it's changed, but I'm 
> sure I miss commits here and there. 
>
> > 
> > Another question , by reading this 
> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> > I can see that there are values that can be adjusted, for example host 
> > information, by default 8, how do I interpret that, there greater the 
> number 
> > more verbose? I just made some modification under  /etc, created some 
> file 
>
> That would be the alert level. It does not change verbosity, just the 
> level of the alert. 
>
> > modified other just to test, but still have no e-mail, I'm only getting 
> an 
> > e-mail regarding a service log and nothing else, which is the parameter 
> to 
> > tell ossec to send all the issues? 
> > 
>
> For the new file, you probably need a full syscheck scan for it to be 
> picked up. 
> For the modified file, if it's already in the syscheck db, you should 
> be alerted relatively quickly (if realtime is enabled and currently 
> running). 
>
> Other than that, OSSEC should send all alerts. 
>
> > Last question: 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
> > monitoring (not started). 
> > 
> > Which service is not started?  the doc says the package inotify should 
> be 
> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> > 
>
> That doesn't indicate that a service hasn't started, just that the 
> realtime feature hasn't started working yet. 
> There's a delay for realtime to start. 
>
> > Thank you very much!! 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 9:21

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic

Thank you!

El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  > wrote: 
> > Hi 
> > Does this still apply? 
> > I have this option enabled: yes along 
> > with the realtime=yes. 
> > 
> > From another post on the list: 
> >>In the past new files were not alerted in real time. I'm not sure if 
> >>this has changed. Any of the developers know? 
> > 
>
> Was there a response to this post? I don't think it's changed, but I'm 
> sure I miss commits here and there. 
>
> > 
> > Another question , by reading this 
> > 
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
>  
> > I can see that there are values that can be adjusted, for example host 
> > information, by default 8, how do I interpret that, there greater the 
> number 
> > more verbose? I just made some modification under  /etc, created some 
> file 
>
> That would be the alert level. It does not change verbosity, just the 
> level of the alert. 
>
> > modified other just to test, but still have no e-mail, I'm only getting 
> an 
> > e-mail regarding a service log and nothing else, which is the parameter 
> to 
> > tell ossec to send all the issues? 
> > 
>
> For the new file, you probably need a full syscheck scan for it to be 
> picked up. 
> For the modified file, if it's already in the syscheck db, you should 
> be alerted relatively quickly (if realtime is enabled and currently 
> running). 
>
> Other than that, OSSEC should send all alerts. 
>
> > Last question: 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
> > monitoring (not started). 
> > 
> > Which service is not started?  the doc says the package inotify should 
> be 
> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 
> > 
>
> That doesn't indicate that a service hasn't started, just that the 
> realtime feature hasn't started working yet. 
> There's a delay for realtime to start. 
>
> > Thank you very much!! 
> > Regards 
> > 
> > 
> > 
> > 
> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) 
> escribió: 
> >> 
> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  
> wrote: 
> >> > 
> >> > Hi 
> >> > Let's see, shouldn't I have to configure on each tag to which 
> directory 
> >> > I 
> >> > want to apply it? as in check_all , directories,  realtime and which 
> >> > directories, or are they global parameters? that's why I included 
> home 
> >> > and 
> >> > root on both of them. 
> >> > 
> >> 
> >> 
> >> Each option applies to the directories configured in it. 
> >> 
> >> >  >> > 
> >> > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin 
>
> >> > 
> >> 
> >> This checks all of the hashes, owner, and permissions. 
> >> 
> >> >   >> > check_all="yes">/root,/home,/etc 
> >> > 
> >> 
> >> This does realtime checks of all of the above, and should produce an 
> >> error because the "/root," "/home," and "/etc" directories are 
> >> duplicated. 
> >> Duplication of directories can cause issues, so it's best not to do 
> >> it. The way to solve this is not to duplicate these directories in the 
> >> second configuration by not including them in the first. 
> >> For example: 
> >> 
> >>  check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin 
> >>  realtime="yes">/root,/home,/etc 
> >> 
> >> Now, if you want to add "report_changes" to /etc, you'll have to 
> >> remove it from the above configuration. You'll end up with: 
> >> 
> >>  check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin 
> >> /root,/home 
> >>  >> report_changes="yes">/etc 
> >> 
> >> > 
> >> > Thank you very much 
> >> > Best Regerds 
> >> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread dan (ddp)

On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic  wrote:
> Hi
> Does this still apply?
> I have this option enabled: yes along
> with the realtime=yes.
>
> From another post on the list:
>>In the past new files were not alerted in real time. I'm not sure if
>>this has changed. Any of the developers know?
>

Was there a response to this post? I don't think it's changed, but I'm
sure I miss commits here and there.

>
> Another question , by reading this
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
> I can see that there are values that can be adjusted, for example host
> information, by default 8, how do I interpret that, there greater the number
> more verbose? I just made some modification under  /etc, created some file

That would be the alert level. It does not change verbosity, just the
level of the alert.

> modified other just to test, but still have no e-mail, I'm only getting an
> e-mail regarding a service log and nothing else, which is the parameter to
> tell ossec to send all the issues?
>

For the new file, you probably need a full syscheck scan for it to be picked up.
For the modified file, if it's already in the syscheck db, you should
be alerted relatively quickly (if realtime is enabled and currently
running).

Other than that, OSSEC should send all alerts.

> Last question:
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan
> (forwarding database).
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database
> (pre-scan).
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file
> monitoring (not started).
>
> Which service is not started?  the doc says the package inotify should be
> installed and I have it inotify-tools-3.13-2.el6.art.x86_64
>

That doesn't indicate that a service hasn't started, just that the
realtime feature hasn't started working yet.
There's a delay for realtime to start.

> Thank you very much!!
> Regards
>
>
>
>
> El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió:
>>
>> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  wrote:
>> >
>> > Hi
>> > Let's see, shouldn't I have to configure on each tag to which directory
>> > I
>> > want to apply it? as in check_all , directories,  realtime and which
>> > directories, or are they global parameters? that's why I included home
>> > and
>> > root on both of them.
>> >
>>
>>
>> Each option applies to the directories configured in it.
>>
>> > > >
>> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
>> >
>>
>> This checks all of the hashes, owner, and permissions.
>>
>> >  > > check_all="yes">/root,/home,/etc
>> >
>>
>> This does realtime checks of all of the above, and should produce an
>> error because the "/root," "/home," and "/etc" directories are
>> duplicated.
>> Duplication of directories can cause issues, so it's best not to do
>> it. The way to solve this is not to duplicate these directories in the
>> second configuration by not including them in the first.
>> For example:
>>
>> /bin,/sbin,/usr/bin,/usr/sbin
>> /root,/home,/etc
>>
>> Now, if you want to add "report_changes" to /etc, you'll have to
>> remove it from the above configuration. You'll end up with:
>>
>> /bin,/sbin,/usr/bin,/usr/sbin
>> /root,/home
>> > report_changes="yes">/etc
>>
>> >
>> > Thank you very much
>> > Best Regerds
>> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic

Hi
Does this still apply? 
I have this option enabled: yes along 
with the realtime=yes.

>From another post on the list:
>In the past new files were not alerted in real time. I'm not sure if 
>this has changed. Any of the developers know? 

Another question , by reading this 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html 
I can see that there are values that can be adjusted, for example host 
information, by default 8, how do I interpret that, there greater the 
number more verbose? I just made some modification under  /etc, created 
some file modified other just to test, but still have no e-mail, I'm only 
getting an e-mail regarding a service log and nothing else, which is the 
parameter to tell ossec to send all the issues?

Last question:
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file 
monitoring (not started).

Which service is not started?  the doc says the package inotify should be 
installed and I have it inotify-tools-3.13-2.el6.art.x86_64

Thank you very much!!
Regards

El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  > wrote: 
> > 
> > Hi 
> > Let's see, shouldn't I have to configure on each tag to which directory 
> I 
> > want to apply it? as in check_all , directories,  realtime and which 
> > directories, or are they global parameters? that's why I included home 
> and 
> > root on both of them. 
> > 
>
>
> Each option applies to the directories configured in it. 
>
> >  > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin 
>
> > 
>
> This checks all of the hashes, owner, and permissions. 
>
> >   check_all="yes">/root,/home,/etc 
> > 
>
> This does realtime checks of all of the above, and should produce an 
> error because the "/root," "/home," and "/etc" directories are 
> duplicated. 
> Duplication of directories can cause issues, so it's best not to do 
> it. The way to solve this is not to duplicate these directories in the 
> second configuration by not including them in the first. 
> For example: 
>
> /bin,/sbin,/usr/bin,/usr/sbin 
> /root,/home,/etc 
>
> Now, if you want to add "report_changes" to /etc, you'll have to 
> remove it from the above configuration. You'll end up with: 
>
> /bin,/sbin,/usr/bin,/usr/sbin 
> /root,/home 
>  report_changes="yes">/etc 
>
> > 
> > Thank you very much 
> > Best Regerds 
> > 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic

Thank you very much for your clarification, now it's much more clear to 
me!!!

Regards


El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió:
>
> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  > wrote: 
> > 
> > Hi 
> > Let's see, shouldn't I have to configure on each tag to which directory 
> I 
> > want to apply it? as in check_all , directories,  realtime and which 
> > directories, or are they global parameters? that's why I included home 
> and 
> > root on both of them. 
> > 
>
>
> Each option applies to the directories configured in it. 
>
> >  > 
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin 
>
> > 
>
> This checks all of the hashes, owner, and permissions. 
>
> >   check_all="yes">/root,/home,/etc 
> > 
>
> This does realtime checks of all of the above, and should produce an 
> error because the "/root," "/home," and "/etc" directories are 
> duplicated. 
> Duplication of directories can cause issues, so it's best not to do 
> it. The way to solve this is not to duplicate these directories in the 
> second configuration by not including them in the first. 
> For example: 
>
> /bin,/sbin,/usr/bin,/usr/sbin 
> /root,/home,/etc 
>
> Now, if you want to add "report_changes" to /etc, you'll have to 
> remove it from the above configuration. You'll end up with: 
>
> /bin,/sbin,/usr/bin,/usr/sbin 
> /root,/home 
>  report_changes="yes">/etc 
>
> > 
> > Thank you very much 
> > Best Regerds 
> > 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread dan (ddp)

On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic  wrote:
>
> Hi
> Let's see, shouldn't I have to configure on each tag to which directory I
> want to apply it? as in check_all , directories,  realtime and which
> directories, or are they global parameters? that's why I included home and
> root on both of them.
>

Each option applies to the directories configured in it.

>  check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
>

This checks all of the hashes, owner, and permissions.

>  /root,/home,/etc
>

This does realtime checks of all of the above, and should produce an
error because the "/root," "/home," and "/etc" directories are
duplicated.
Duplication of directories can cause issues, so it's best not to do
it. The way to solve this is not to duplicate these directories in the
second configuration by not including them in the first.
For example:

/bin,/sbin,/usr/bin,/usr/sbin
/root,/home,/etc

Now, if you want to add "report_changes" to /etc, you'll have to
remove it from the above configuration. You'll end up with:

/bin,/sbin,/usr/bin,/usr/sbin
/root,/home
/etc

>
> Thank you very much
> Best Regerds
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic


Hi
Let's see, shouldn't I have to configure on each tag to which directory I 
want to apply it? as in check_all , directories,  realtime and which 
directories, or are they global parameters? that's why I included home and 
root on both of them.

/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin

 /root,/home,/etc

Thank you very much
Best Regerds



El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) 
escribió:
>
> On Oct 12, 2016 4:49 PM, "Kernel Panic"  
> wrote:
> >
> > Hi there guys,
> >
> > When starting the agent I've get this info:
> >
> > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using 
> notify time: 600 and max time to reconnect: 1800
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/root'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/etc'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/bin'.
> >
> > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.
> >
> > This is what I configured:
> >
> > 
> >  check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
> >  check_all="yes">/root,/home,/etc
>
> You have "/root" in both of the above entries.
>
> > 
> > 
>
> Why do you have all of these empty entries? They're not checking anything, 
> I'm actually a little surprised they didn't cause more problems.
>
> > 
> > 
> > 
> > 
> >
> > Where is that data duplicated? I noticed that under the shared directory 
> there is an agent.conf which contains
> >
> >  
> > /etc,/usr/bin,/usr/sbin
> > /bin,/sbin
> >
> > Is that configuration file taken into account? If I remove it it's 
> created once again.
> >
>
> Yes, that file also provides configuration. It's provided by the OSSEC 
> server.
>
> > Thank you for your time and support
> > Regards
> >
> >
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic

Hi
Is this much better now? is realtime a global option ( realtime to all ) or 
do I have to tell on which directories I want the realtime monitoring?


/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
/root,/home,/etc
/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin

Thank you very much for your patience.
Regards


El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) 
escribió:
>
> On Oct 12, 2016 4:49 PM, "Kernel Panic"  
> wrote:
> >
> > Hi there guys,
> >
> > When starting the agent I've get this info:
> >
> > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using 
> notify time: 600 and max time to reconnect: 1800
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/root'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/etc'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/bin'.
> >
> > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.
> >
> > This is what I configured:
> >
> > 
> >  check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
> >  check_all="yes">/root,/home,/etc
>
> You have "/root" in both of the above entries.
>
> > 
> > 
>
> Why do you have all of these empty entries? They're not checking anything, 
> I'm actually a little surprised they didn't cause more problems.
>
> > 
> > 
> > 
> > 
> >
> > Where is that data duplicated? I noticed that under the shared directory 
> there is an agent.conf which contains
> >
> >  
> > /etc,/usr/bin,/usr/sbin
> > /bin,/sbin
> >
> > Is that configuration file taken into account? If I remove it it's 
> created once again.
> >
>
> Yes, that file also provides configuration. It's provided by the OSSEC 
> server.
>
> > Thank you for your time and support
> > Regards
> >
> >
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-13 Thread Kernel Panic

Hi
Ok, so , are those global variables ? I thought I had to specify for every 
tag to which directory I wan it to apply that configuration, that's why I 
included root and home on both, realtime and check_all.

/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
/root,/home,/etc


So, do I have to include the directories right? make sense, my bad.








Thank you very much
Best Regards


El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) 
escribió:
>
> On Oct 12, 2016 4:49 PM, "Kernel Panic"  
> wrote:
> >
> > Hi there guys,
> >
> > When starting the agent I've get this info:
> >
> > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using 
> notify time: 600 and max time to reconnect: 1800
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/root'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: ''.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/etc'.
> > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory 
> given: '/bin'.
> >
> > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.
> >
> > This is what I configured:
> >
> > 
> >  check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
> >  check_all="yes">/root,/home,/etc
>
> You have "/root" in both of the above entries.
>
> > 
> > 
>
> Why do you have all of these empty entries? They're not checking anything, 
> I'm actually a little surprised they didn't cause more problems.
>
> > 
> > 
> > 
> > 
> >
> > Where is that data duplicated? I noticed that under the shared directory 
> there is an agent.conf which contains
> >
> >  
> > /etc,/usr/bin,/usr/sbin
> > /bin,/sbin
> >
> > Is that configuration file taken into account? If I remove it it's 
> created once again.
> >
>
> Yes, that file also provides configuration. It's provided by the OSSEC 
> server.
>
> > Thank you for your time and support
> > Regards
> >
> >
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

2016-10-12 Thread dan (ddp)

On Oct 12, 2016 4:49 PM, "Kernel Panic"  wrote:
>
> Hi there guys,
>
> When starting the agent I've get this info:
>
> Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify
time: 600 and max time to reconnect: 1800
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: '/root'.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: '/etc'.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory
given: '/bin'.
>
> 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.
>
> This is what I configured:
>
> 
> /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
> /root,/home,/etc

You have "/root" in both of the above entries.

> 
> 

Why do you have all of these empty entries? They're not checking anything,
I'm actually a little surprised they didn't cause more problems.

> 
> 
> 
> 
>
> Where is that data duplicated? I noticed that under the shared directory
there is an agent.conf which contains
>
>  
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin
>
> Is that configuration file taken into account? If I remove it it's
created once again.
>

Yes, that file also provides configuration. It's provided by the OSSEC
server.

> Thank you for your time and support
> Regards
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Agent Duplicate Folders Message

2016-10-12 Thread Kernel Panic

Hi there guys,

When starting the agent I've get this info:

*Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify 
time: 600 and max time to reconnect: 1800*
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
'/root'.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
'/etc'.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: 
'/bin'. 
2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.

This is what I configured:


/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin
/root,/home,/etc







Where is that data duplicated? I noticed that under the shared directory 
there is an agent.conf which contains

 
/etc,/usr/bin,/usr/sbin
/bin,/sbin

Is that configuration file taken into account? If I remove it it's created 
once again.

Thank you for your time and support
Regards



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

Re: [ossec-list] Agent Duplicate Folders Message

[ossec-list] Agent Duplicate Folders Message

14 matches

Site Navigation

Mail list logo

Footer information