.delayed realtime messages
19 views
Skip to first unread message
Oğuz Yarımtepe
Jan 26, 2018, 7:28:15 AM1/26/18
to ossec-list
Belay is my agent.conf
<agent_config profile="LinuxGeneral">
<syscheck>
<!-- Frequency that syscheck is executed -- default every 6 hours -->
<frequency>21600</frequency>
<!-- <scan_on_start>yes</scan_on_start> -->
<skip_nfs>yes</skip_nfs>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/etc</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/lib,/lib64,/usr/lib,/usr/lib64</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/bin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/sbin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/lib</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/lib64</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/home/cyblnxadm</directories>
<directories check_all="yes" realtime="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes" report_changes="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/ossec</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<skip_nfs>yes</skip_nfs>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
when i change a file under /home/cyblnxadm, i get the email after 1 hour. Any idea about the delay? My real time monitoring is started and i can see that at the logs. But the messages are coming delayed.
I am using Centos7 and and installed ossec agent using atomicrepo.
Oğuz Yarımtepe
Jan 30, 2018, 12:42:47 AM1/30/18
to ossec-list
Can this be because of my global email settings is as below?
26 Ocak 2018 Cuma 15:28:15 UTC+3 tarihinde Oğuz Yarımtepe yazdı:
<global>
<email_notification>yes</email_notification>
<email_to>us...@foo.com</email_to>
<email_to>us...@foo.com</email_to>
<smtp_server>ap-smtp-ggrc.pool.gittigidiyor.net</smtp_server>
<email_from>oss...@warn.foo.com</email_from>
<email_maxperhour>1</email_maxperhour>
</global>
I changed the email_maxperhour to 1000. Should i use do_not_dleya?
26 Ocak 2018 Cuma 15:28:15 UTC+3 tarihinde Oğuz Yarımtepe yazdı:
Reply all
Reply to author
Forward
0 new messages