Re: [ossec-list] Re: Unexpected FIM behavior
On Tue, Oct 25, 2016 at 1:05 PM, Matt wrote: > I posted the agent ossec.conf on the windows server in my first posting, > here is how it's presently configured. > > > > > 16200 If the agent isn't respecting the frequency in its ossec.conf, this is a problem. Unfortunately I don't have any windows agents to test with. Can anyone confirm this behavior? > yes > no These obviously don't go in the agent's ossec.conf. This is even in the documentation. That's probably why I skipped over them. > > no > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
I posted the agent ossec.conf on the windows server in my first posting, here is how it's presently configured. 16200 yes no no -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
On Tue, Oct 25, 2016 at 12:29 PM, Matt wrote: > It's my understanding it needed to be configure don the agent? Following is What needed to be configured on the agent? Which specific settings were you referencing in your previous email? Some settings get set on the agent, some on the server. Which settings did you expect to be set on the agent, but only worked when set on the server? > anything I can see as remotely pertinent in the Ossec.conf file on the OSSEC > server. I'm not including sections referencing the rules and directories to > monitor and ignore (which I didn't modify). > > > > yes > 5000 > red...@redact.com > redact.redact.com > red...@redact.com > yes > > Obvious server settings. > > > 72000 Frequency should be set by that host's ossec.conf. > yes > no Obvious server settings. > > > syslog > > > secure > Obvious server settings. > > 1 > 7 > > Obvious server settings > > syslog > /var/log/messages > > > syslog > /var/log/secure > > > syslog > /var/log/maillog > > > Each system should have localfile entries for the logs on that system. > > On Tuesday, October 25, 2016 at 8:15:53 AM UTC-7, dan (ddpbsd) wrote: >> >> On Tue, Oct 25, 2016 at 11:03 AM, Matt wrote: >> > I can definitely confirm that the FIM scan ISN'T paying attention to the >> > ossec.conf file on the Windows agent. Instead it is running based off >> > the >> > config of the OSSEC Master server. Pasting in config from windows >> > agent. >> > And I did add the new file and ignore flag to the master, just didn't >> > remove >> > from agent. >> > >> >> Which options specifically are being set (for the agent) from the >> OSSEC server's ossec.conf? >> >> > >> > >> > >> > >> > 16200 >> > yes >> > no >> > >> > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Oct 19, 2016 12:08 PM, "Matt" wrote: >> >> > >> >> > Thank you both, I appreciate it. >> >> > >> >> > I added the config to the global file instead of the local file. >> >> > >> >> > So, I think realtime is behaving now, but not the rest. It's my >> >> > understanding the scan frequency for the agent is set on the agent, >> >> > not the >> >> > global level. I've set the agent to about an hour, but it's not >> >> > noting >> >> > changes for the non realtime. I'm ok with setting it to less frequent >> >> > and >> >> > will try 4 hours next, and then a longer period after that. Unless >> >> > it's all >> >> > set on the global level (master server is 20hr), which didn't seem to >> >> > be the >> >> > case? >> >> > >> >> >> >> Frequency is handled in the agent's ossec.conf. >> >> >> >> > Thanks, >> >> > Matthew >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
It's my understanding it needed to be configure don the agent? Following is anything I can see as remotely pertinent in the Ossec.conf file on the OSSEC server. I'm not including sections referencing the rules and directories to monitor and ignore (which I didn't modify). yes 5000 red...@redact.com redact.redact.com red...@redact.com yes 72000 yes no syslog secure 1 7 syslog /var/log/messages syslog /var/log/secure syslog /var/log/maillog On Tuesday, October 25, 2016 at 8:15:53 AM UTC-7, dan (ddpbsd) wrote: > On Tue, Oct 25, 2016 at 11:03 AM, Matt > > wrote: > > I can definitely confirm that the FIM scan ISN'T paying attention to the > > ossec.conf file on the Windows agent. Instead it is running based off > the > > config of the OSSEC Master server. Pasting in config from windows > agent. > > And I did add the new file and ignore flag to the master, just didn't > remove > > from agent. > > > > Which options specifically are being set (for the agent) from the > OSSEC server's ossec.conf? > > > > > > > > > > > 16200 > > yes > > no > > > > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Oct 19, 2016 12:08 PM, "Matt" wrote: > >> > > >> > Thank you both, I appreciate it. > >> > > >> > I added the config to the global file instead of the local file. > >> > > >> > So, I think realtime is behaving now, but not the rest. It's my > >> > understanding the scan frequency for the agent is set on the agent, > not the > >> > global level. I've set the agent to about an hour, but it's not > noting > >> > changes for the non realtime. I'm ok with setting it to less frequent > and > >> > will try 4 hours next, and then a longer period after that. Unless > it's all > >> > set on the global level (master server is 20hr), which didn't seem to > be the > >> > case? > >> > > >> > >> Frequency is handled in the agent's ossec.conf. > >> > >> > Thanks, > >> > Matthew > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
On Tue, Oct 25, 2016 at 11:03 AM, Matt wrote: > I can definitely confirm that the FIM scan ISN'T paying attention to the > ossec.conf file on the Windows agent. Instead it is running based off the > config of the OSSEC Master server. Pasting in config from windows agent. > And I did add the new file and ignore flag to the master, just didn't remove > from agent. > Which options specifically are being set (for the agent) from the OSSEC server's ossec.conf? > > > > > 16200 > yes > no > > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: >> >> On Oct 19, 2016 12:08 PM, "Matt" wrote: >> > >> > Thank you both, I appreciate it. >> > >> > I added the config to the global file instead of the local file. >> > >> > So, I think realtime is behaving now, but not the rest. It's my >> > understanding the scan frequency for the agent is set on the agent, not the >> > global level. I've set the agent to about an hour, but it's not noting >> > changes for the non realtime. I'm ok with setting it to less frequent and >> > will try 4 hours next, and then a longer period after that. Unless it's all >> > set on the global level (master server is 20hr), which didn't seem to be >> > the >> > case? >> > >> >> Frequency is handled in the agent's ossec.conf. >> >> > Thanks, >> > Matthew >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
I can definitely confirm that the FIM scan ISN'T paying attention to the ossec.conf file on the Windows agent. Instead it is running based off the config of the OSSEC Master server. Pasting in config from windows agent. And I did add the new file and ignore flag to the master, just didn't remove from agent. 16200 yes no On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: > On Oct 19, 2016 12:08 PM, "Matt" > wrote: > > > > Thank you both, I appreciate it. > > > > I added the config to the global file instead of the local file. > > > > So, I think realtime is behaving now, but not the rest. It's my > understanding the scan frequency for the agent is set on the agent, not the > global level. I've set the agent to about an hour, but it's not noting > changes for the non realtime. I'm ok with setting it to less frequent and > will try 4 hours next, and then a longer period after that. Unless it's all > set on the global level (master server is 20hr), which didn't seem to be > the case? > > > > Frequency is handled in the agent's ossec.conf. > > > Thanks, > > Matthew > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
I can not definitely confirm that the FIM scan ISN'T paying attention to the ossec.conf file on the Windows agent. Instead it is running based off the config of the OSSEC Master server. Pasting in config from windows agent. And I did add the new file and ignore flag to the master, just didn't remove from agent. 16200 yes no On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: > On Oct 19, 2016 12:08 PM, "Matt" > wrote: > > > > Thank you both, I appreciate it. > > > > I added the config to the global file instead of the local file. > > > > So, I think realtime is behaving now, but not the rest. It's my > understanding the scan frequency for the agent is set on the agent, not the > global level. I've set the agent to about an hour, but it's not noting > changes for the non realtime. I'm ok with setting it to less frequent and > will try 4 hours next, and then a longer period after that. Unless it's all > set on the global level (master server is 20hr), which didn't seem to be > the case? > > > > Frequency is handled in the agent's ossec.conf. > > > Thanks, > > Matthew > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
On Oct 19, 2016 12:08 PM, "Matt" wrote: > > Thank you both, I appreciate it. > > I added the config to the global file instead of the local file. > > So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the agent, not the global level. I've set the agent to about an hour, but it's not noting changes for the non realtime. I'm ok with setting it to less frequent and will try 4 hours next, and then a longer period after that. Unless it's all set on the global level (master server is 20hr), which didn't seem to be the case? > Frequency is handled in the agent's ossec.conf. > Thanks, > Matthew > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Unexpected FIM behavior
Thank you both, I appreciate it. I added the config to the global file instead of the local file. So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the agent, not the global level. I've set the agent to about an hour, but it's not noting changes for the non realtime. I'm ok with setting it to less frequent and will try 4 hours next, and then a longer period after that. Unless it's all set on the global level (master server is 20hr), which didn't seem to be the case? Thanks, Matthew -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Unexpected FIM behavior
On Fri, Oct 14, 2016 at 5:52 PM, Matt wrote: > Realtime monitoring seems to be working now that I've adjusted the scan > frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now > 20 minutes and realtime now seems to work. I don't claim it makes sense, > it's just what I'm observing. > > Ok I've discovered that the config doesn't like this line. I modified it to > reflect one of the others and it works. > > realtime="yes">C:\TestOSS3 > > And, I've realized it's also including multiple alerts in one email. I'd > rather have one email per alert, at least a way to configure it. But I get > this reduces the count of emails. > /var/ossec/etc/internal_options.conf # Maild grouping (0=disabled, 1=enabled) # Groups alerts within the same e-mail. maild.groupping=1 > > > On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: >> >> Hello, >> >> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't >> behaving consistently. >> >> First realtime monitoring simply isn't working. FIM only seem to work when >> the scan runs, which I have set to 10 minutes for testing. Second I only >> seem to get a fraction of the changes I've made. For testing I have 4 >> folder, and I make 2 changes in each folder, usually an edit and a delete >> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I >> received only alerts for 3 of those changes. >> >> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. >> The agent does say "INFO: Real time file monitoring started.". >> >> Following are the configs for the manager server and the agent server. Is >> there something I am missing? >> >> Manager >> >> >> >> yes >> 500 >> redac...@redacted.com >> redacted.redacted.com >> redac...@redacted.com >> yes >> >> >> >> Agent, yes the lines are intentionally each a little different for the >> directories to monitor while fiddling with this. If one is wrong please let >> me know. >> >> >> >> >> >> 600 >> yes >> no >> >> no >> >> C:\TestOSS1 >> C:\TestOSS2 >> > realtime="yes">C:\TestOSS3 >> > check_all="yes">C:\TestOSS4 >> >> >> %WINDIR%/win.ini >> %WINDIR%/system.ini >> >> Thanks, >> Matt >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Unexpected FIM behavior
Hi Matt, As we can see, Syscheck isn't very accurate with time for three main reasons: 1. In order not to impact the system performance, Syscheck sleeps two seconds for every 15 checked files. You can change this by changing the settings "syscheck.sleep" and "syscheck.sleep_after" at file *internal_options.conf*. For example, you can set "syscheck.sleep=0" in a testing environment. I don't recommend you to set this value in a production environment, although you can reduce the sleep time to 1 second or increase the sleep_after to 50 files. 2. After the Syscheck scan, the Rootcheck scan gets launched, and the real-time monitor doesn't work until Rootcheck has ended. 3. Sometimes Syscheck sleeps 5 minutes after a complete cycle (syscheck+rootcheck+realtime monitoring). I saw a little misconfiguration in your ossec.conf file: settings and are OK but they must be at the manager, not at the agent. By last, note that the first Syscheck scan will never produce neither alerts about new files nor file changes reports, this is because Syscheck generates and sends a database to the server at each scan. The manager works by analyzing the differences between different versions of the database, but the first time the manager has no database and can't produce alerts. Hope it helps. Best regards, Victor. On Saturday, October 15, 2016 at 1:10:25 AM UTC+2, Matt wrote: > > I've changed the scan frequency to 40 minutes, and realtime isn't working. > I've edited files 2 times, nothing. Hopefully it at least fires off when > the next scan happens. > > > > On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > >> Hello, >> >> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't >> behaving consistently. >> >> First realtime monitoring simply isn't working. FIM only seem to work >> when the scan runs, which I have set to 10 minutes for testing. Second I >> only seem to get a fraction of the changes I've made. For testing I have 4 >> folder, and I make 2 changes in each folder, usually an edit and a delete >> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I >> received only alerts for 3 of those changes. >> >> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. >> The agent does say "INFO: Real time file monitoring started.". >> >> Following are the configs for the manager server and the agent server. Is >> there something I am missing? >> >> Manager >> >> >> >> yes >> 500 >> reda...@redacted.com >> redacted.redacted.com >> reda...@redacted.com >> yes >> >> >> Agent, yes the lines are intentionally each a little different for the >> directories to monitor while fiddling with this. If one is wrong please let >> me know. >> >> >> >> >> >> 600 >> yes >> no >> >> no >> >> C:\TestOSS1 >> C:\TestOSS2 >> > realtime="yes">C:\TestOSS3 >> > check_all="yes">C:\TestOSS4 >> >> >> %WINDIR%/win.ini >> %WINDIR%/system.ini >> >> Thanks, >> Matt >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Unexpected FIM behavior
I've changed the scan frequency to 40 minutes, and realtime isn't working. I've edited files 2 times, nothing. Hopefully it at least fires off when the next scan happens. On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > Hello, > > I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't > behaving consistently. > > First realtime monitoring simply isn't working. FIM only seem to work when > the scan runs, which I have set to 10 minutes for testing. Second I only > seem to get a fraction of the changes I've made. For testing I have 4 > folder, and I make 2 changes in each folder, usually an edit and a delete > and/or add. I just did that 2 time sin the last hour, so 16 changes, and I > received only alerts for 3 of those changes. > > The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. > The agent does say "INFO: Real time file monitoring started.". > > Following are the configs for the manager server and the agent server. Is > there something I am missing? > > Manager > > > > yes > 500 > redac...@redacted.com > redacted.redacted.com > redac...@redacted.com > yes > > > Agent, yes the lines are intentionally each a little different for the > directories to monitor while fiddling with this. If one is wrong please let > me know. > > > > > > 600 > yes > no > > no > > C:\TestOSS1 > C:\TestOSS2 > realtime="yes">C:\TestOSS3 > check_all="yes">C:\TestOSS4 > > > %WINDIR%/win.ini > %WINDIR%/system.ini > > Thanks, > Matt > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Unexpected FIM behavior
Realtime monitoring seems to be working now that I've adjusted the scan frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now 20 minutes and realtime now seems to work. I don't claim it makes sense, it's just what I'm observing. Ok I've discovered that the config doesn't like this line. I modified it to reflect one of the others and it works. C:\TestOSS3 And, I've realized it's also including multiple alerts in one email. I'd rather have one email per alert, at least a way to configure it. But I get this reduces the count of emails. On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > Hello, > > I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't > behaving consistently. > > First realtime monitoring simply isn't working. FIM only seem to work when > the scan runs, which I have set to 10 minutes for testing. Second I only > seem to get a fraction of the changes I've made. For testing I have 4 > folder, and I make 2 changes in each folder, usually an edit and a delete > and/or add. I just did that 2 time sin the last hour, so 16 changes, and I > received only alerts for 3 of those changes. > > The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. > The agent does say "INFO: Real time file monitoring started.". > > Following are the configs for the manager server and the agent server. Is > there something I am missing? > > Manager > > > > yes > 500 > redac...@redacted.com > redacted.redacted.com > redac...@redacted.com > yes > > > Agent, yes the lines are intentionally each a little different for the > directories to monitor while fiddling with this. If one is wrong please let > me know. > > > > > > 600 > yes > no > > no > > C:\TestOSS1 > C:\TestOSS2 > realtime="yes">C:\TestOSS3 > check_all="yes">C:\TestOSS4 > > > %WINDIR%/win.ini > %WINDIR%/system.ini > > Thanks, > Matt > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.