syscheck not being in real time even when is configured realtime="yes"
1,358 views
Skip to first unread message
Yolanda Prieto
Dec 8, 2017, 6:29:46 PM12/8/17
to Wazuh mailing list
Hi Team,
I have a question about syscheck in real time:
In the manager I have the following configuration:
.........
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
…………
I have the wazuh windows agents configured as is showed here:
......
https://github.com/wazuh/wazuh/blob/master/src/win32/ossec.conf
but the <frecuency >120</frecuency>
I have beside this configuration:
<directories report_changes="yes" check_all="yes" realtime="yes">C:\SilliconValley</directories>
....
Each time I modified or deleted or added a file from SilliconValley directory, I was able to see , in real time, the rule triggered and the checksum variation.
by tail –f alerts.log and by UI
After some time, I can not see it anymore in real time.
I can see the modification, but with delay.
How I can keep seeing the modifications in realtime again?
What is the trick?
Why I could see it before and now not anymore?
My versions:
Wazuh Manager is V2.1.1
Wazuh client is v2.0.1
Any idea will be highly appreciate.
Regards,
Yolanda Prieto
I have a question about syscheck in real time:
In the manager I have the following configuration:
.........
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
…………
I have the wazuh windows agents configured as is showed here:
......
https://github.com/wazuh/wazuh/blob/master/src/win32/ossec.conf
but the <frecuency >120</frecuency>
I have beside this configuration:
<directories report_changes="yes" check_all="yes" realtime="yes">C:\SilliconValley</directories>
....
Each time I modified or deleted or added a file from SilliconValley directory, I was able to see , in real time, the rule triggered and the checksum variation.
by tail –f alerts.log and by UI
After some time, I can not see it anymore in real time.
I can see the modification, but with delay.
How I can keep seeing the modifications in realtime again?
What is the trick?
Why I could see it before and now not anymore?
My versions:
Wazuh Manager is V2.1.1
Wazuh client is v2.0.1
Any idea will be highly appreciate.
Regards,
Yolanda Prieto
Cristóbal López
Dec 11, 2017, 5:01:42 AM12/11/17
to Wazuh mailing list
Hi Yolanda,
I have replicated your conditions and the realtime mode continues to work after half an hour.
In your case, the syscheck analysis is activated every 2 minutes, which deactivates realtime until it is finished. You may have looked up your logs just as the syscheck analysis was running. Try increasing the frequency.
Best regards,
Cristobal Lopez.
I have replicated your conditions and the realtime mode continues to work after half an hour.
In your case, the syscheck analysis is activated every 2 minutes, which deactivates realtime until it is finished. You may have looked up your logs just as the syscheck analysis was running. Try increasing the frequency.
Best regards,
Cristobal Lopez.
yol...@saitechnology.com
Dec 11, 2017, 12:53:18 PM12/11/17
to Cristóbal López, Wazuh mailing list
Hi Cristobal,
Thanks for your quick answer.
But something i dont understand , maybe is for my lack of fluency in English.
Do you said that the realtimewas working after 30 minutes?
And that because syscheck is activated every 2 minutes,
it deactivates realtime until it is finished?
it deactivates realtime until it is finished?
Could you please explain again with another words? Or even in Spanish for me.
Thanks, any help is very highly appreciate.
Regards
Yolanda
but the <frecuency >120</frecuency>
I have beside this configuration:
<directories report_changes="yes" check_all="yes"
realtime="yes">C:\SilliconValley</directories>
....
Each time I modified or deleted or added a file from SilliconValley
directory, I was able to see , in real time, the rule triggered and
the checksum variation.
by tail –f alerts.log and by UI
After some time, I can not see it anymore in real time.
I can see the modification, but with delay.
How I can keep seeing the modifications in realtime again?
What is the trick?
Why I could see it before and now not anymore?
My versions:
Wazuh Manager is V2.1.1
Wazuh client is v2.0.1
Any idea will be highly appreciate.
Regards,
Yolanda Prieto
--
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/2960fc12-07c8-465c-a143-5af43ea7ff1d%40googlegroups.com
[2].
For more options, visit https://groups.google.com/d/optout.
Links:
------
[1] https://github.com/wazuh/wazuh/blob/master/src/win32/ossec.conf
[2]
https://groups.google.com/d/msgid/wazuh/2960fc12-07c8-465c-a143-5af43ea7ff1d%40googlegroups.com?utm_medium=email&utm_source=footer
Cristóbal López
Dec 22, 2017, 12:31:49 PM12/22/17
to Wazuh mailing list
Hi Yolanda,
In other words, syscheck can do 2 types of directory scans: normal and realtime. The only difference is that the scan for realtime directories is in "real time", while normal scanning runs periodically, at the time indicated by the frequency field.
In your case, every 120 seconds the normal scan is activated, which stops the realtime scanning. When normal scanning is finished, syscheck starts monitoring directories again in real time.
What I meant was I replicated your configuration and kept it for 30 minutes. After this time, I checked how realtime marked directories were still monitored in real time. That is why I think it is possible that you checked the real-time monitoring at the moment when syscheck was launching a "normal analysis", and after that time, the realtime directories were still running normally.
In short, I recommend you two things:
- Increase the realtime frequency.
- Update Wazuh in your agents and managers to benefit from the improvements that have been added. You can see a summary here https://documentation.wazuh.com/current/release-notes/index.html
Best regards,
Cristobal.
In other words, syscheck can do 2 types of directory scans: normal and realtime. The only difference is that the scan for realtime directories is in "real time", while normal scanning runs periodically, at the time indicated by the frequency field.
In your case, every 120 seconds the normal scan is activated, which stops the realtime scanning. When normal scanning is finished, syscheck starts monitoring directories again in real time.
What I meant was I replicated your configuration and kept it for 30 minutes. After this time, I checked how realtime marked directories were still monitored in real time. That is why I think it is possible that you checked the real-time monitoring at the moment when syscheck was launching a "normal analysis", and after that time, the realtime directories were still running normally.
In short, I recommend you two things:
- Increase the realtime frequency.
- Update Wazuh in your agents and managers to benefit from the improvements that have been added. You can see a summary here https://documentation.wazuh.com/current/release-notes/index.html
Best regards,
Cristobal.
an email to wazuh+unsubscribe@googlegroups.com.
Yolanda Prieto
Jan 11, 2018, 4:50:30 PM1/11/18
to Wazuh mailing list
Hi Cristobal
Before write you again i followed your recommendations regrading to:
Before write you again i followed your recommendations regrading to:
- Increase the realtime frequency.
- Update Wazuh in your agents and managers
I do the following:
I installed the lasted version of wazuh and elasticstack:
I configured the in the agent
but the <frecuency >43200</frecuency>
I installed the lasted version of wazuh and elasticstack:
Wazuh version 3.1.0
ElasticStack 6.1.1 =logstasth 6.1.1, kibana 6.1.1,elasticserach 6.1.1
I configured the in the agent
but the <frecuency >43200</frecuency>
I have beside this configuration:
<directories report_changes="yes" check_all="yes" realtime="yes">C:\SilliconValley</directories>
....
An in the manager I put the same <frecuency >43200</frecuency>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 3 times -->
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
....................
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
........
</syscheck>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
....................
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
........
</syscheck>
Each time I modified or deleted or added a file from SilliconValley
directory, I can not see the modification in real time.
I can see the modification, but with delay.
How I can keep see the modifications in real time?
Please advise, this topic is critical for us.
Thanks and Regards
Yolanda
Please advise, this topic is critical for us.
Thanks and Regards
Yolanda
Cristóbal López
Jan 12, 2018, 6:05:36 AM1/12/18
to Wazuh mailing list
Hi Yolanda,
I replicated the usage case again and recorded a video to show you that real-time monitoring with report_changes runs smoothly.
It is rare that you can't see the changes in real time. Are you seeing the log message "Real time file monitoring engine started." or some kind of error?
Best regards,
Cristobal Lopez
I replicated the usage case again and recorded a video to show you that real-time monitoring with report_changes runs smoothly.
It is rare that you can't see the changes in real time. Are you seeing the log message "Real time file monitoring engine started." or some kind of error?
Best regards,
Cristobal Lopez
Yolanda Prieto
Jan 17, 2018, 1:19:52 PM1/17/18
to Wazuh mailing list
Hi Team
Somebody could help me with this old question?
Any advise will be very appreciate.
Regards
Yolanda Prieto
Somebody could help me with this old question?
Any advise will be very appreciate.
Regards
Yolanda Prieto
Santiago Bassett
Jan 30, 2018, 12:54:55 AM1/30/18
to Yolanda Prieto, Wazuh mailing list
Hi Yolanda,
did you get this to work?
Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9f8531f5-a5ef-49ac-b0c8-047620f8c733%40googlegroups.com.
Miguelangel Freitas
Jan 30, 2018, 9:56:48 AM1/30/18
to Yolanda Prieto, Wazuh mailing list
Hi Yolanda,
Complementing what Cristobal says before, here some facts about the syscheck capability:
- Realtime and periodic scans cant run at the same time, means that the realtime engine is paused when a scheduled scan begins.
- The realtime engine will not start immediately, syscheck needs to perform a filesystem scan to add all sub-directories to the realtime queue. You should see a message like "ossec-agent: INFO: INFO: Starting syscheck real-time monitoring." confirming the realtime engine is fully started.
- Report_changes works for plain text files only, be careful on this configuration please review this: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#how-to-fim-report-changes
- The syscheck configuration is independent of where you configured. The settings on the manager will affect only to the manager, the same applies to the agents.
If you set a short time period for the schedule scans it's probably you won't give enough time to syscheck to start the realtime engine, it will maintain a constant cycle of pauses.
I hope this could give you some clues and clarification about syscheck behavior.
Reply all
Reply to author
Forward
0 new messages