Not receiving email alert for file changes(FIM)
28 views
Skip to first unread message
Prashanthi Soundarajan
Oct 10, 2019, 6:27:41 AM10/10/19
to ossec-list
ossec.conf
___________
<ossec_config>
<global><email_notification>yes</email_notification>
<email_to>my email</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@fcappiee</email_from>
<logall>yes</logall>
</global>
<email_alerts>
<email_to>my email</email_to>
<rule_id>550, 553, 554</rule_id>
<do_not_delay />
</email_alerts>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>exim_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>60</frequency>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/data/helpkit/shared/log</ignore>
<ignore>/data/haystack-shipper/logs</ignore>
<ignore>/data/haystack-shipper/data</ignore>
<ignore>/data/helpkit/shared/tmp/cache</ignore>
<ignore>/data/helpkit/current/log</ignore>
<ignore>/dev/pts</ignore>
<ignore>/dev/null</ignore>
<ignore>/dev/tty</ignore>
<ignore>/etc/blkid/blkid.tab</ignore>
<ignore>/etc/sudoers</ignore>
<ignore>/opt/confd/confd.txt</ignore>
<ignore>/var/log</ignore>
<ignore>/opt/SumoCollector/config</ignore>
<ignore>/opt/SumoCollector/logs</ignore>
<ignore>/var/lib</ignore>
<ignore>/var/run</ignore>
<ignore>/var/spool</ignore>
<ignore>/var/cache</ignore>
<ignore>/tmp</ignore>
<ignore>/var/log</ignore>
<ignore>/var/ossec</ignore>
<ignore type="sregex">/home/^/.ssh</ignore>
<ignore type="sregex">/home/^/.bash_history</ignore>
<ignore>/opt/aws/opsworks/releases</ignore>
<ignore>/root/.bash_history</ignore>
<ignore>/root/.monit.state</ignore>
<ignore>/root/.viminfo</ignore>
<ignore>/root/.viminfo.tmp</ignore>
<ignore>/dev/char</ignore>
</syscheck>
<rootcheck>
<frequency>60</frequency>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
</ossec_config>
******************************************************
local_rules.xml
_______________
<group name="local,syslog,">
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
</group>
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
</group>
I am not getting email alert if a file is modified / added to my sysytem
Prashanthi Soundarajan
Oct 10, 2019, 7:02:17 AM10/10/19
to ossec-list
I am not getting email alert if a file is modified / added / deleted to my system.
Installtion type : Local
OS : Amazon Linux
dan (ddp)
Oct 10, 2019, 8:47:54 AM10/10/19
to ossec...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4e627d64-3384-4022-8968-96a35e908312%40googlegroups.com.
Prashanthi Soundarajan
Oct 10, 2019, 8:54:00 AM10/10/19
to ossec-list
Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in the system","
Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message"
I am not getting alerts for new file creation/Deletion/Modification
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
dan (ddp)
Oct 10, 2019, 9:18:21 AM10/10/19
to ossec...@googlegroups.com
On Thu, Oct 10, 2019 at 8:54 AM Prashanthi Soundarajan
<Prashan...@gmail.com> wrote:
>
> Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in the system","
> Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message"
>
> I am not getting alerts for new file creation/Deletion/Modification
>
Are these alerts getting triggered (check /var/ossec/logs/alerts/alerts.log)?
<Prashan...@gmail.com> wrote:
>
> Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in the system","
> Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message"
>
> I am not getting alerts for new file creation/Deletion/Modification
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
Prashanthi Soundarajan
Oct 10, 2019, 9:24:04 AM10/10/19
to ossec-list
Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem somewhere in the system","Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message") in /var/ossec/logs/alerts/alerts.log
____Sample:_____
** Alert 1570713203.436414: mail - syslog,errors,
2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
** Alert 1570713205.436799: mail - syslog,errors,
2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
** Alert 1570713207.437184: mail - syslog,errors,
2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
** Alert 1570713205.436799: mail - syslog,errors,
2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
** Alert 1570713207.437184: mail - syslog,errors,
2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
dan (ddp)
Oct 11, 2019, 7:45:00 AM10/11/19
to ossec...@googlegroups.com
On Thu, Oct 10, 2019 at 9:24 AM Prashanthi Soundarajan
<Prashan...@gmail.com> wrote:
>
>
> Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem somewhere in the system","Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message") in /var/ossec/logs/alerts/alerts.log
>
> ____Sample:_____
>
> ** Alert 1570713203.436414: mail - syslog,errors,
> 2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
>
> ** Alert 1570713205.436799: mail - syslog,errors,
> 2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
>
> ** Alert 1570713207.437184: mail - syslog,errors,
> 2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
All the samples are from the alerts you say you are getting emails
<Prashan...@gmail.com> wrote:
>
>
> Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem somewhere in the system","Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message") in /var/ossec/logs/alerts/alerts.log
>
> ____Sample:_____
>
> ** Alert 1570713203.436414: mail - syslog,errors,
> 2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
>
> ** Alert 1570713205.436799: mail - syslog,errors,
> 2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
>
> ** Alert 1570713207.437184: mail - syslog,errors,
> 2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in `transmit' : This dangerous monkey patch leaves you open to MITM attacks! (StandardWarning)
for. The important alerts to look for are the ones you're not getting
emails for.
Assuming those exist in the alerts.log file, check your smtp server's
mail logs. Perhaps it's discarding the messages or they aren't getting
transferred properly?
>>
>> > You received this message because you are subscribed to the Google Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.
Prashanthi Soundarajan
Oct 11, 2019, 7:53:14 AM10/11/19
to ossec-list
All the samples are from the alerts you say you are getting emails
for. The important alerts to look for are the ones you're not getting
emails for.
Assuming those exist in the alerts.log file, check your smtp server's
mail logs. Perhaps it's discarding the messages or they aren't getting
transferred properly?
No those alerts are not in alerts.log . For example if I test creating a new file in the specified directory .. am not able to see logs in alert.log
so I guess there is less possibility for they aren't getting
transferred properly when it logs are not actually in alert.log
>>
>> > You received this message because you are subscribed to the Google Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.
dan (ddp)
Oct 11, 2019, 8:18:13 AM10/11/19
to ossec...@googlegroups.com
On Fri, Oct 11, 2019 at 7:53 AM Prashanthi Soundarajan
<prashan...@gmail.com> wrote:
>
>
>
>>
>> All the samples are from the alerts you say you are getting emails
>> for. The important alerts to look for are the ones you're not getting
>> emails for.
>> Assuming those exist in the alerts.log file, check your smtp server's
>> mail logs. Perhaps it's discarding the messages or they aren't getting
>> transferred properly?
>>
>
>
> No those alerts are not in alerts.log . For example if I test creating a new file in the specified directory .. am not able to see logs in alert.log
> so I guess there is less possibility for they aren't getting transferred properly when it logs are not actually in alert.log
If they are not in the alerts.log file, then they won't get emailed.
<prashan...@gmail.com> wrote:
>
>
>
>>
>> All the samples are from the alerts you say you are getting emails
>> for. The important alerts to look for are the ones you're not getting
>> emails for.
>> Assuming those exist in the alerts.log file, check your smtp server's
>> mail logs. Perhaps it's discarding the messages or they aren't getting
>> transferred properly?
>>
>
>
> No those alerts are not in alerts.log . For example if I test creating a new file in the specified directory .. am not able to see logs in alert.log
> so I guess there is less possibility for they aren't getting transferred properly when it logs are not actually in alert.log
Do the new files you create show up in your syscheck database file?
(/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)
Prashanthi Soundarajan
Oct 11, 2019, 8:53:37 AM10/11/19
to ossec-list
Do the new files you create show up in your syscheck database file?
(/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)
I am not able to see database file. I can see a file name /var/ossec/queue/syscheck/syscheck
Is that what you are referring ? if yes than I am not able to see the newly created file name in this file.
Prashanthi Soundarajan
Oct 11, 2019, 8:56:27 AM10/11/19
to ossec-list
Kindly ignore the above response . I am able to view the newly created file in (/var/ossec/queue/syscheck/syscheck)
+++25:33184:0:0:8f40752e7074f39fca815d476987bac5:2f06aa578c59786289dfa2b27c57e1aafbf9d489 !1570798265 /etc/prash
dan (ddp)
Oct 14, 2019, 9:58:09 AM10/14/19
to ossec...@googlegroups.com
On Fri, Oct 11, 2019 at 8:56 AM Prashanthi Soundarajan
<prashan...@gmail.com> wrote:
>
>
>
> On Friday, October 11, 2019 at 6:23:37 PM UTC+5:30, Prashanthi Soundarajan wrote:
>>
>>
>>
>>>
>>> Do the new files you create show up in your syscheck database file?
>>> (/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)
>>
>>
>>
>> I am not able to see database file. I can see a file name /var/ossec/queue/syscheck/syscheck
>>
>> Is that what you are referring ? if yes than I am not able to see the newly created file name in this file.
>
>
My memory failed me, that's the file.
<prashan...@gmail.com> wrote:
>
>
>
> On Friday, October 11, 2019 at 6:23:37 PM UTC+5:30, Prashanthi Soundarajan wrote:
>>
>>
>>
>>>
>>> Do the new files you create show up in your syscheck database file?
>>> (/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)
>>
>>
>>
>> I am not able to see database file. I can see a file name /var/ossec/queue/syscheck/syscheck
>>
>> Is that what you are referring ? if yes than I am not able to see the newly created file name in this file.
>
>
>
>
> Kindly ignore the above response . I am able to view the newly created file in (/var/ossec/queue/syscheck/syscheck)
>
> +++25:33184:0:0:8f40752e7074f39fca815d476987bac5:2f06aa578c59786289dfa2b27c57e1aafbf9d489 !1570798265 /etc/prash
>
last time I tried it, but I haven't tried it recently.
Which version of OSSEC are you using?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9e771c93-62b9-4f68-8613-3d61ca00c859%40googlegroups.com.
Prashanthi Soundarajan
Oct 15, 2019, 12:43:54 AM10/15/19
to ossec-list
>
I'll have to test the alert new files functionality out. It worked
last time I tried it, but I haven't tried it recently.
Which version of OSSEC are you using?
I am using ossec version : 3.0.0
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages