Re: [ossec-list] Agent Duplicate Folders Message
The server I'm using for testing went down, as soon as I get it back I'm gonna review it. Thank you very much for your help, relly appreciated Regards El viernes, 14 de octubre de 2016, 10:26:53 (UTC-3), dan (ddpbsd) escribió: > > On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic> wrote: > > Taking a look in /var/ossec/logs/alerts I can see there are lots of > things > > registered, no related to the files I modified, but related to ssh login > > failures, sudo stuff and the like but never get an e-mail with that > report. > > > > Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? > Do you have alert_new_files turned on in the OSSEC server's ossec.conf? > Did you modify the rule that alerts on new files to raise the level to > something greater than 0? > Did you restart the OSSEC processes on the OSSEC server after making > these changes? > > > Thank you very much for your time and support > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic > wrote: > >> > Hi > >> > Does this still apply? > >> > I have this option enabled: yes > along > >> > with the realtime=yes. > >> > > >> > From another post on the list: > >> >>In the past new files were not alerted in real time. I'm not sure if > >> >>this has changed. Any of the developers know? > >> > > >> > >> Was there a response to this post? I don't think it's changed, but I'm > >> sure I miss commits here and there. > >> > >> > > >> > Another question , by reading this > >> > > >> > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > >> > I can see that there are values that can be adjusted, for example > host > >> > information, by default 8, how do I interpret that, there greater the > >> > number > >> > more verbose? I just made some modification under /etc, created some > >> > file > >> > >> That would be the alert level. It does not change verbosity, just the > >> level of the alert. > >> > >> > modified other just to test, but still have no e-mail, I'm only > getting > >> > an > >> > e-mail regarding a service log and nothing else, which is the > parameter > >> > to > >> > tell ossec to send all the issues? > >> > > >> > >> For the new file, you probably need a full syscheck scan for it to be > >> picked up. > >> For the modified file, if it's already in the syscheck db, you should > >> be alerted relatively quickly (if realtime is enabled and currently > >> running). > >> > >> Other than that, OSSEC should send all alerts. > >> > >> > Last question: > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > >> > (pre-scan). > >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time > file > >> > monitoring (not started). > >> > > >> > Which service is not started? the doc says the package inotify > should > >> > be > >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > >> > > >> > >> That doesn't indicate that a service hasn't started, just that the > >> realtime feature hasn't started working yet. > >> There's a delay for realtime to start. > >> > >> > Thank you very much!! > >> > Regards > >> > > >> > > >> > > >> > > >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > >> > escribió: > >> >> > >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic > >> >> wrote: > >> >> > > >> >> > Hi > >> >> > Let's see, shouldn't I have to configure on each tag to which > >> >> > directory > >> >> > I > >> >> > want to apply it? as in check_all , directories, realtime and > which > >> >> > directories, or are they global parameters? that's why I included > >> >> > home > >> >> > and > >> >> > root on both of them. > >> >> > > >> >> > >> >> > >> >> Each option applies to the directories configured in it. > >> >> > >> >> > >> >> > > >> >> > > >> >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > >> >> > > >> >> > >> >> This checks all of the hashes, owner, and permissions. > >> >> > >> >> > >> >> > check_all="yes">/root,/home,/etc > >> >> > > >> >> > >> >> This does realtime checks of all of the above, and should produce an > >> >> error because the "/root," "/home," and "/etc" directories are > >> >> duplicated. > >> >> Duplication of directories can cause issues, so it's best not to do > >> >> it. The way to solve this is not to duplicate these directories in > the > >> >> second configuration by not including them in the first. > >> >> For example: > >> >> > >> >> >> >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> >> >> >> realtime="yes">/root,/home,/etc > >> >> > >> >> Now, if you want to add
Re: [ossec-list] Agent Duplicate Folders Message
On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panicwrote: > Taking a look in /var/ossec/logs/alerts I can see there are lots of things > registered, no related to the files I modified, but related to ssh login > failures, sudo stuff and the like but never get an e-mail with that report. > Are the files in the syscheck db (/var/ossec/queue/syscheck/something)? Do you have alert_new_files turned on in the OSSEC server's ossec.conf? Did you modify the rule that alerts on new files to raise the level to something greater than 0? Did you restart the OSSEC processes on the OSSEC server after making these changes? > Thank you very much for your time and support > Regards > > > > > El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: >> >> On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic wrote: >> > Hi >> > Does this still apply? >> > I have this option enabled: yes along >> > with the realtime=yes. >> > >> > From another post on the list: >> >>In the past new files were not alerted in real time. I'm not sure if >> >>this has changed. Any of the developers know? >> > >> >> Was there a response to this post? I don't think it's changed, but I'm >> sure I miss commits here and there. >> >> > >> > Another question , by reading this >> > >> > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html >> > I can see that there are values that can be adjusted, for example host >> > information, by default 8, how do I interpret that, there greater the >> > number >> > more verbose? I just made some modification under /etc, created some >> > file >> >> That would be the alert level. It does not change verbosity, just the >> level of the alert. >> >> > modified other just to test, but still have no e-mail, I'm only getting >> > an >> > e-mail regarding a service log and nothing else, which is the parameter >> > to >> > tell ossec to send all the issues? >> > >> >> For the new file, you probably need a full syscheck scan for it to be >> picked up. >> For the modified file, if it's already in the syscheck db, you should >> be alerted relatively quickly (if realtime is enabled and currently >> running). >> >> Other than that, OSSEC should send all alerts. >> >> > Last question: >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file >> > monitoring (not started). >> > >> > Which service is not started? the doc says the package inotify should >> > be >> > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 >> > >> >> That doesn't indicate that a service hasn't started, just that the >> realtime feature hasn't started working yet. >> There's a delay for realtime to start. >> >> > Thank you very much!! >> > Regards >> > >> > >> > >> > >> > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) >> > escribió: >> >> >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic >> >> wrote: >> >> > >> >> > Hi >> >> > Let's see, shouldn't I have to configure on each tag to which >> >> > directory >> >> > I >> >> > want to apply it? as in check_all , directories, realtime and which >> >> > directories, or are they global parameters? that's why I included >> >> > home >> >> > and >> >> > root on both of them. >> >> > >> >> >> >> >> >> Each option applies to the directories configured in it. >> >> >> >> > > >> > >> >> > >> >> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin >> >> > >> >> >> >> This checks all of the hashes, owner, and permissions. >> >> >> >> > > >> > check_all="yes">/root,/home,/etc >> >> > >> >> >> >> This does realtime checks of all of the above, and should produce an >> >> error because the "/root," "/home," and "/etc" directories are >> >> duplicated. >> >> Duplication of directories can cause issues, so it's best not to do >> >> it. The way to solve this is not to duplicate these directories in the >> >> second configuration by not including them in the first. >> >> For example: >> >> >> >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin >> >> > >> realtime="yes">/root,/home,/etc >> >> >> >> Now, if you want to add "report_changes" to /etc, you'll have to >> >> remove it from the above configuration. You'll end up with: >> >> >> >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin >> >> /root,/home >> >> > >> report_changes="yes">/etc >> >> >> >> > >> >> > Thank you very much >> >> > Best Regerds >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this
Re: [ossec-list] Agent Duplicate Folders Message
Taking a look in /var/ossec/logs/alerts I can see there are lots of things registered, no related to the files I modified, but related to ssh login failures, sudo stuff and the like but never get an e-mail with that report. Thank you very much for your time and support Regards El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic> wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic > wrote: > >> > > >> > Hi > >> > Let's see, shouldn't I have to configure on each tag to which > directory > >> > I > >> > want to apply it? as in check_all , directories, realtime and which > >> > directories, or are they global parameters? that's why I included > home > >> > and > >> > root on both of them. > >> > > >> > >> > >> Each option applies to the directories configured in it. > >> > >> > >> > > >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > >> > > >> > >> This checks all of the hashes, owner, and permissions. > >> > >> > >> > check_all="yes">/root,/home,/etc > >> > > >> > >> This does realtime checks of all of the above, and should produce an > >> error because the "/root," "/home," and "/etc" directories are > >> duplicated. > >> Duplication of directories can cause issues, so it's best not to do > >> it. The way to solve this is not to duplicate these directories in the > >> second configuration by not including them in the first. > >> For example: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> realtime="yes">/root,/home,/etc > >> > >> Now, if you want to add "report_changes" to /etc, you'll have to > >> remove it from the above configuration. You'll end up with: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> /root,/home > >> >> report_changes="yes">/etc > >> > >> > > >> > Thank you very much > >> > Best Regerds > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi there. I'm still getting one alert e-mail type 2 eventhough I modified/created some files under /etc am I missing something else in the configuration? This is the server coniguration. yes m...@company.com localhost oss...@server.com 100 yes 4096 rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml named_rules.xml smbd_rules.xml vsftpd_rules.xml pure-ftpd_rules.xml proftpd_rules.xml ms_ftpd_rules.xml ftpd_rules.xml hordeimp_rules.xml roundcube_rules.xml wordpress_rules.xml cimserver_rules.xml vpopmail_rules.xml vmpop3d_rules.xml courier_rules.xml web_rules.xml web_appsec_rules.xml apache_rules.xml nginx_rules.xml php_rules.xml mysql_rules.xml postgresql_rules.xml ids_rules.xml squid_rules.xml firewall_rules.xml cisco-ios_rules.xml netscreenfw_rules.xml sonicwall_rules.xml postfix_rules.xml sendmail_rules.xml imapd_rules.xml mailscanner_rules.xml dovecot_rules.xml ms-exchange_rules.xml racoon_rules.xml vpn_concentrator_rules.xml spamd_rules.xml msauth_rules.xml mcafee_av_rules.xml trend-osce_rules.xml ms-se_rules.xml zeus_rules.xml solaris_bsm_rules.xml vmware_rules.xml ms_dhcp_rules.xml asterisk_rules.xml ossec_rules.xml attack_rules.xml local_rules.xml 3600 yes /boot,/etc,/root,/home,/bin,/sbin,/usr/bin,/usr/sbin /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs 3600 /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt 127.0.0.1 secure 1 7 host-deny host-deny.sh srcip yes firewall-drop firewall-drop.sh srcip yes disable-account disable-account.sh user yes host-deny local 6 600 firewall-drop local 6 600 syslog /var/log/messages syslog /var/log/authlog syslog /var/log/secure syslog /var/log/xferlog syslog /var/log/maillog apache /var/www/logs/access_log apache /var/www/logs/error_log ZEBRA OSSEC Security Report For The Masses Thank for your patience. El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic> wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21
Re: [ossec-list] Agent Duplicate Folders Message
Thank you! El jueves, 13 de octubre de 2016, 14:47:25 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic> wrote: > > Hi > > Does this still apply? > > I have this option enabled: yes along > > with the realtime=yes. > > > > From another post on the list: > >>In the past new files were not alerted in real time. I'm not sure if > >>this has changed. Any of the developers know? > > > > Was there a response to this post? I don't think it's changed, but I'm > sure I miss commits here and there. > > > > > Another question , by reading this > > > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > > > I can see that there are values that can be adjusted, for example host > > information, by default 8, how do I interpret that, there greater the > number > > more verbose? I just made some modification under /etc, created some > file > > That would be the alert level. It does not change verbosity, just the > level of the alert. > > > modified other just to test, but still have no e-mail, I'm only getting > an > > e-mail regarding a service log and nothing else, which is the parameter > to > > tell ossec to send all the issues? > > > > For the new file, you probably need a full syscheck scan for it to be > picked up. > For the modified file, if it's already in the syscheck db, you should > be alerted relatively quickly (if realtime is enabled and currently > running). > > Other than that, OSSEC should send all alerts. > > > Last question: > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > > > Which service is not started? the doc says the package inotify should > be > > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > > > > That doesn't indicate that a service hasn't started, just that the > realtime feature hasn't started working yet. > There's a delay for realtime to start. > > > Thank you very much!! > > Regards > > > > > > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) > escribió: > >> > >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic > wrote: > >> > > >> > Hi > >> > Let's see, shouldn't I have to configure on each tag to which > directory > >> > I > >> > want to apply it? as in check_all , directories, realtime and which > >> > directories, or are they global parameters? that's why I included > home > >> > and > >> > root on both of them. > >> > > >> > >> > >> Each option applies to the directories configured in it. > >> > >> > >> > > >> > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > >> > > >> > >> This checks all of the hashes, owner, and permissions. > >> > >> > >> > check_all="yes">/root,/home,/etc > >> > > >> > >> This does realtime checks of all of the above, and should produce an > >> error because the "/root," "/home," and "/etc" directories are > >> duplicated. > >> Duplication of directories can cause issues, so it's best not to do > >> it. The way to solve this is not to duplicate these directories in the > >> second configuration by not including them in the first. > >> For example: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> realtime="yes">/root,/home,/etc > >> > >> Now, if you want to add "report_changes" to /etc, you'll have to > >> remove it from the above configuration. You'll end up with: > >> > >> check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin > >> /root,/home > >> >> report_changes="yes">/etc > >> > >> > > >> > Thank you very much > >> > Best Regerds > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panicwrote: > Hi > Does this still apply? > I have this option enabled: yes along > with the realtime=yes. > > From another post on the list: >>In the past new files were not alerted in real time. I'm not sure if >>this has changed. Any of the developers know? > Was there a response to this post? I don't think it's changed, but I'm sure I miss commits here and there. > > Another question , by reading this > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html > I can see that there are values that can be adjusted, for example host > information, by default 8, how do I interpret that, there greater the number > more verbose? I just made some modification under /etc, created some file That would be the alert level. It does not change verbosity, just the level of the alert. > modified other just to test, but still have no e-mail, I'm only getting an > e-mail regarding a service log and nothing else, which is the parameter to > tell ossec to send all the issues? > For the new file, you probably need a full syscheck scan for it to be picked up. For the modified file, if it's already in the syscheck db, you should be alerted relatively quickly (if realtime is enabled and currently running). Other than that, OSSEC should send all alerts. > Last question: > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > > Which service is not started? the doc says the package inotify should be > installed and I have it inotify-tools-3.13-2.el6.art.x86_64 > That doesn't indicate that a service hasn't started, just that the realtime feature hasn't started working yet. There's a delay for realtime to start. > Thank you very much!! > Regards > > > > > El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: >> >> On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic wrote: >> > >> > Hi >> > Let's see, shouldn't I have to configure on each tag to which directory >> > I >> > want to apply it? as in check_all , directories, realtime and which >> > directories, or are they global parameters? that's why I included home >> > and >> > root on both of them. >> > >> >> >> Each option applies to the directories configured in it. >> >> > > > >> > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin >> > >> >> This checks all of the hashes, owner, and permissions. >> >> > > > check_all="yes">/root,/home,/etc >> > >> >> This does realtime checks of all of the above, and should produce an >> error because the "/root," "/home," and "/etc" directories are >> duplicated. >> Duplication of directories can cause issues, so it's best not to do >> it. The way to solve this is not to duplicate these directories in the >> second configuration by not including them in the first. >> For example: >> >> /bin,/sbin,/usr/bin,/usr/sbin >> /root,/home,/etc >> >> Now, if you want to add "report_changes" to /etc, you'll have to >> remove it from the above configuration. You'll end up with: >> >> /bin,/sbin,/usr/bin,/usr/sbin >> /root,/home >> > report_changes="yes">/etc >> >> > >> > Thank you very much >> > Best Regerds >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Does this still apply? I have this option enabled: yes along with the realtime=yes. >From another post on the list: >In the past new files were not alerted in real time. I'm not sure if >this has changed. Any of the developers know? Another question , by reading this http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html I can see that there are values that can be adjusted, for example host information, by default 8, how do I interpret that, there greater the number more verbose? I just made some modification under /etc, created some file modified other just to test, but still have no e-mail, I'm only getting an e-mail regarding a service log and nothing else, which is the parameter to tell ossec to send all the issues? Last question: 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). Which service is not started? the doc says the package inotify should be installed and I have it inotify-tools-3.13-2.el6.art.x86_64 Thank you very much!! Regards El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic> wrote: > > > > Hi > > Let's see, shouldn't I have to configure on each tag to which directory > I > > want to apply it? as in check_all , directories, realtime and which > > directories, or are they global parameters? that's why I included home > and > > root on both of them. > > > > > Each option applies to the directories configured in it. > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > > > > This checks all of the hashes, owner, and permissions. > > > check_all="yes">/root,/home,/etc > > > > This does realtime checks of all of the above, and should produce an > error because the "/root," "/home," and "/etc" directories are > duplicated. > Duplication of directories can cause issues, so it's best not to do > it. The way to solve this is not to duplicate these directories in the > second configuration by not including them in the first. > For example: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home,/etc > > Now, if you want to add "report_changes" to /etc, you'll have to > remove it from the above configuration. You'll end up with: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home > report_changes="yes">/etc > > > > > Thank you very much > > Best Regerds > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Thank you very much for your clarification, now it's much more clear to me!!! Regards El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió: > > On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic> wrote: > > > > Hi > > Let's see, shouldn't I have to configure on each tag to which directory > I > > want to apply it? as in check_all , directories, realtime and which > > directories, or are they global parameters? that's why I included home > and > > root on both of them. > > > > > Each option applies to the directories configured in it. > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > > > > This checks all of the hashes, owner, and permissions. > > > check_all="yes">/root,/home,/etc > > > > This does realtime checks of all of the above, and should produce an > error because the "/root," "/home," and "/etc" directories are > duplicated. > Duplication of directories can cause issues, so it's best not to do > it. The way to solve this is not to duplicate these directories in the > second configuration by not including them in the first. > For example: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home,/etc > > Now, if you want to add "report_changes" to /etc, you'll have to > remove it from the above configuration. You'll end up with: > > /bin,/sbin,/usr/bin,/usr/sbin > /root,/home > report_changes="yes">/etc > > > > > Thank you very much > > Best Regerds > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panicwrote: > > Hi > Let's see, shouldn't I have to configure on each tag to which directory I > want to apply it? as in check_all , directories, realtime and which > directories, or are they global parameters? that's why I included home and > root on both of them. > Each option applies to the directories configured in it. > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > This checks all of the hashes, owner, and permissions. > /root,/home,/etc > This does realtime checks of all of the above, and should produce an error because the "/root," "/home," and "/etc" directories are duplicated. Duplication of directories can cause issues, so it's best not to do it. The way to solve this is not to duplicate these directories in the second configuration by not including them in the first. For example: /bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc Now, if you want to add "report_changes" to /etc, you'll have to remove it from the above configuration. You'll end up with: /bin,/sbin,/usr/bin,/usr/sbin /root,/home /etc > > Thank you very much > Best Regerds > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Let's see, shouldn't I have to configure on each tag to which directory I want to apply it? as in check_all , directories, realtime and which directories, or are they global parameters? that's why I included home and root on both of them. /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc Thank you very much Best Regerds El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic"> wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Is this much better now? is realtime a global option ( realtime to all ) or do I have to tell on which directories I want the realtime monitoring? /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin Thank you very much for your patience. Regards El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic"> wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
Hi Ok, so , are those global variables ? I thought I had to specify for every tag to which directory I wan it to apply that configuration, that's why I included root and home on both, realtime and check_all. /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc So, do I have to include the directories right? make sense, my bad. Thank you very much Best Regards El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió: > > On Oct 12, 2016 4:49 PM, "Kernel Panic"> wrote: > > > > Hi there guys, > > > > When starting the agent I've get this info: > > > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using > notify time: 600 and max time to reconnect: 1800 > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/root'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: ''. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/etc'. > > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory > given: '/bin'. > > > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > > > This is what I configured: > > > > > > check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > > check_all="yes">/root,/home,/etc > > You have "/root" in both of the above entries. > > > > > > > Why do you have all of these empty entries? They're not checking anything, > I'm actually a little surprised they didn't cause more problems. > > > > > > > > > > > > > Where is that data duplicated? I noticed that under the shared directory > there is an agent.conf which contains > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin > > > > Is that configuration file taken into account? If I remove it it's > created once again. > > > > Yes, that file also provides configuration. It's provided by the OSSEC > server. > > > Thank you for your time and support > > Regards > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agent Duplicate Folders Message
On Oct 12, 2016 4:49 PM, "Kernel Panic"wrote: > > Hi there guys, > > When starting the agent I've get this info: > > Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/root'. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/etc'. > 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/bin'. > > 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. > > This is what I configured: > > > /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin > /root,/home,/etc You have "/root" in both of the above entries. > > Why do you have all of these empty entries? They're not checking anything, I'm actually a little surprised they didn't cause more problems. > > > > > > Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin > > Is that configuration file taken into account? If I remove it it's created once again. > Yes, that file also provides configuration. It's provided by the OSSEC server. > Thank you for your time and support > Regards > > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Agent Duplicate Folders Message
Hi there guys, When starting the agent I've get this info: *Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800* 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/root'. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/etc'. 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/bin'. 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''. This is what I configured: /root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin /root,/home,/etc Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains /etc,/usr/bin,/usr/sbin /bin,/sbin Is that configuration file taken into account? If I remove it it's created once again. Thank you for your time and support Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.