Syscheck- Wazuh Alert for new file

[Nymeria]

Hello guys,

In my agent (windows 7 machine) with Wazuh Agent Manager, I manage the config file (ossec.conf). 

I would like to know when a new file is created. I have added:

<!-- File integrity monitoring -->

  <syscheck>

    <!-- Frequency that syscheck is executed default every 12 hours -->

    <frequency>43200</frequency>

    <!-- By default it is disabled. In the Install you must choose to enable it. -->

    <disabled>no</disabled>

    <!-- Generate alert when new file detected -->

    <alert_new_files>yes</alert_new_files>
    <!-- Default files to be monitored. -->

    [...]

    <!-- Test file to be monitored. -->

    <directories check_all="yes" realtime="yes" report_changes="yes">/test</directories>

  </syscheck>

    
   

  In my server instead, following another post in this group, I have modified the local_rules.xml in /var/ossec/etc/rules to set the correct value of alert. In this file I added (because it is not present) the rule 554. Following my entire file: 

<!-- Example -->

<group name="local,syslog,sshd,">

  <!--

  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2

  -->

  <rule id="100001" level="5">

    <if_sid>5716</if_sid>

    <srcip>1.1.1.1</srcip>

    <description>sshd: authentication failed from IP 1.1.1.1.</description>

    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

  </rule>

<rule id="554" level="10" overwrite="yes">

      <category>ossec</category>

      <decoded_as>syscheck_new_entry</decoded_as>

      <description>File added to the system.</description>

     <group>syscheck,pci_dss_11.5,</group>

</rule>

</group>

 The last thing I done it has be the restart of syscheckd: In agent's log I saw the start of syscheckd and the end.

 Obviously during this time I created a new file in the directory but no alert appears in kibana.

Where is the problem?

Many thankls for your help

Best regards 

  

[Miguelangel Freitas]

Hi Nymeria,

You must restart the agent after modifying their ossec.conf file, when using realtime="yes" you must wait until it's completely initialized. You will see a log line like the next that ensure the Realtime engine is fully started:

2017/09/05 21:43:55 ossec-agent: INFO: INFO: Starting syscheck real-time monitoring.

Starting from that log line, you should receive real-time alerts.

I hope its helps.

Regards.

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd09270c-e184-448a-a576-28f29c876e33%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nymeria]

Hi Miguelangel, thank you for your reply.

I restarted my agent after the modify of ossec.conf.

In the log, I saw 

 17:42:45 ossec-syscheckd: INFO: Starting syscheck scan

 

18:14:58 ossec-syscheckd: INFO: Ending syscheck scan.

 

18:14:58 ossec-syscheckd: INFO: Starting syscheck real-time monitoring.

During this time I created a new file in test's directory but no log has arrived in kibana but in agent's log I saw 

07:56:34 ossec-agent: INFO: Sending agent information to server.

Thanks for your help   

[Miguelangel Freitas]

Hi Nymeria,

Sorry for the late reply.

In Windows agents you need to set the path of the supervised directory including the drive letter, by example:

<directories check_all="yes" realtime="yes" report_changes="yes">C:\Test</directories>

I hope it helps

Best regards.

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b0eba07-72e8-4bae-bdb6-54240a109ef1%40googlegroups.com.

[Nymeria]

Hi Miguelangel,

don't worry rather many thanks for your help :)

In my ossec.cong I added correctly the path of directory:

<!-- Test file to be monitored. -->

    <directories check_all="yes" realtime="yes" report_changes="yes">C:\test</directories>

In log's file in my agent I see:

ossec-syscheckd: INFO: Monitoring directory: 'C:\test', with options perm | size | owner | group | md5sum | sha1sum | realtime | report_changes | mtime | inode. 

During the monitoring I wrote a file and in log I see:

ossec-syscheckd: ERROR: Unable to write data on file 'queue/diff/local/test/prova.rtf/last-entry'

One more thing. In my server, the file alert.json and alerts.log in /var/ossec/logs/alerts are populated but no one has got logs about my test' s directory.

Thanks for your support!  

[Victor Fernandez]

Hi Nymeria,

I've tested a configuration with the same directory as you:

<directories check_all="yes" realtime="yes" report_changes="yes">C:\Test</directories>

I restarted the agent and waited for the message "Starting syscheck real-time monitoring." Then I created and modified some files and I got the corresponding alerts in the manager.

I wonder where you put the configuration:

<alert_new_files>yes</alert_new_files>

This setting must be in the manager, it's ignored by the agent.

The same thing with this configuration (if you desire to have all alerts about modified files instead of the first three only):

<auto_ignore>no</auto_ignore>

This reference documentation may be useful to you: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html

Please check that those settings are placed in the manager and give it a try again.

If the problem persists, please tell us which version of Wazuh (agent and manager) you are using.

Best regards.