OSSEC: Real time file monitoring not starting

[Jenia Jenia]

Hi Guys!

I've installed and configured OSSEC to get real time notifications, but when I modify for instance /etc/passwd or /etc/hosts I don't get a real time notification.

Scheduled notifications are working I receive events to my email.

In addition documentation tells that in ossec.log there should be a line "Real time file monitoring started." which I never get.

Please advise

 <global>

    <email_notification>yes</email_notification>

    <email_to>jen...@gmail.com</email_to>

    <smtp_server>mx.yandex.net.</smtp_server>

    <email_from>ossecm@myserver</email_from>

  </global>

  <!-- 550 changed, 553 deleted, 554 added -->

  <email_alerts>

    <email_to>jen...@gmail.com</email_to>

    <rule_id>550, 553, 554</rule_id>

    <do_not_delay />

  </email_alerts>

  <!-- Directories to check  (perform all possible verifications) -->

        <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

        <alert_new_files>yes</alert_new_files>

        <scan_on_start>no</scan_on_start>

        <auto_ignore>no</auto_ignore>

[Jb Cheng]

Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file checks existence of a header file. Please see if your Ubuntu system has one of the follwoing:

    # Checking for inotify

    if [ "X$OS" = "XLinux" ]; then

        if [ -e /usr/include/sys/inotify.h ]; then

            echo "EEXTRA=-DUSEINOTIFY" >> Config.OS

        elif [ -e /usr/include/linux/inotify.h ]; then

            echo "EEXTRA=-DUSEINOTIFY" >> Config.OS

        fi

        LUA_PLAT="posix"

    fi

If it works, Config.OS file will contain the '-DUSEINOFITY' compilation directive. Please check it.

Documentation is available at: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring 

Good luck!

[Jenia Jenia]

I've checked, I have the /usr/include/linux/inotify.h and I have -DUSEINOTIFY.

I do have the "Real time file monitoring started.", which I simply didn't notice.

However the problem is that it looks like real time notifications are working inconsistently, i.e: if I let's say "apt-get install ...some package, I get the notification right away, also when I restart OSSEC I get email immediately, BUT when I modify /etc/hosts or some other file that is with "realtime" parameter in "directories" then I only get a notification when ossec-syscheckd runs as scheduled.

Any ideas?

[Santiago Bassett]

Are you using scan_on_start option? Remember realtime won't work until first syscheck is done.

I also recommend to use alert_new_files and set auto_ignore to "no" (this goes on the manager).

Useful trobleshooting tip is to enable debug for syscheck on the agent (internal_options.conf file)

Best

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[temp.em...@gmail.com]

Hi Santiago, I just came across your post. Are you saying that the auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, the latter will eventually be placed on the Agent. I thought that /var/ossec/etc/ossec.conf (on the manager) only applied to syscheck settings locally (in this case, the manager) and that agent.conf would control what happens on the Agents. This is a little confusing.

[Santiago Bassett]

That goes on the manager ossec.conf

The manager takes care of analyzing syscheck data received from the agents, and generate alerts.

I hope it helps

Santiago Bassett

@santiagobassett

[temp.em...@gmail.com]

So what is the difference, between say, the <syscheck><frequency> parameter in the ossec.conf file on the Server and the agent.conf file that eventually gets uploaded to the Agent? I was under the impression that the frequency setting in ossec.conf would be used locally if the Server were performing syschecks on itself. What if the frequency in ossec.conf and agent.conf differ? How often will the Agent perform a syscheck on itself? The parameter in ossec.conf or agent.conf?