ossec not sending alert about changes

[Oleg Makarov]

Hello everyone!

I'm a newbie in ossec and I need some help.

I have an ossec manager and 20+ ossec agents.

On manager i have next conf: http://pastebin.com/4LTYNmYH

On agent i have next conf: http://pastebin.com/RzN5p6Zf

I want to see how i change /etc/ssh/sshd_config on one of my agents, I made some changes, but there are no alerts on my email.

What am I do wrong?

Thanks!

[Oleg Makarov]

If i change something on manager node - I'm getting an alert!

But nothing if I change agent's node.

пятница, 17 июля 2015 г., 13:26:49 UTC+3 пользователь Oleg Makarov написал:

[dan (ddp)]

Is the agent connected to the manager?
Is the entry in the ayscheck db updated (/var/ossec/queue/syscheck)?

The frequency seems very low on the agent. I haven't seen much success with very low frequencies.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Oleg Makarov]

Yep, its active.

I dont see anything in /var/ossec/queue/syscheck :(

I also try to change frequency to 600 seconds, but still the same :(

пятница, 17 июля 2015 г., 15:28:16 UTC+3 пользователь dan (ddpbsd) написал:

[dan (ddp)]

On Jul 17, 2015 8:51 AM, "Oleg Makarov" <theoleg...@gmail.com> wrote:
>
> Yep, its active.
> I dont see anything in /var/ossec/queue/syscheck :(
>

Did you check on the manager? I apologize for not being more specific initially, but that info is stored on the manager.

> I also try to change frequency to 600 seconds, but still the same :(
>

That's still very low for checking 2 hashes for every file in the configured directories.

[Oleg Makarov]

/var/ossec/bin/agent_control -i 030

OSSEC HIDS agent_control. Agent information:

   Agent ID:   030

   Agent Name: ewqeqw

   IP address: 192.168.x.x

   Status:     Active

   Operating system:    Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u..

   Client version:      OSSEC HIDS v2.8 / 9144d8b51e627a498cde8eeb8dac2c88

   Last keep alive:     Fri Jul 17 15:57:56 2015

   Syscheck last started  at: Fri Jul 17 15:34:48 2015

   Rootcheck last started at: Fri Jul 17 15:59:33 2015

Now I'm testing with central agent conf:

<agent_config>

<syscheck>

    <frequency>600</frequency>

    <directories report_changes="yes" check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories>

    <directories report_changes="yes" check_all="yes" realtime="yes">/bin,/sbin</directories>

    <directories report_changes="yes" check_all="yes" realtime="yes">/usr/local/sbin</directories>

    <directories report_changes="yes" check_all="yes" realtime="yes">/usr/local/bin</directories>

</syscheck>

</agent_config>

And still nothing, i check md5sum /var/ossec/etc/shared/agent.conf

179aa16e2a4830f4d60afe9b2325e956  /var/ossec/etc/shared/agent.conf

But as you can see, the agent dont receive it (I restart agent)

Dont know what to do...

пятница, 17 июля 2015 г., 15:54:13 UTC+3 пользователь dan (ddpbsd) написал:

[dan (ddp)]

It can take some time for the agent.conf to get pushed to the agents. But if you're having problems with the normal setup, I imagine you'll continue to have the problems with the agent.conf.
Double check your alerts.log file for syscheck alerts related to the sshd_config file.

[Oleg Makarov]

now i see that md5sum matched on server and agent.

I change file in /etc folder, wait for 5 minutes, but there is no email

in alerts.log i dont see anything only that i logged into system :(

пятница, 17 июля 2015 г., 16:21:33 UTC+3 пользователь dan (ddpbsd) написал:

[Oleg Makarov]

Now on agent i see next

ossec-agentd(1214): WARN: Problem receiving message from OSSEC SERVER IP ADDRESS

But it's active in list of agents

пятница, 17 июля 2015 г., 16:21:33 UTC+3 пользователь dan (ddpbsd) написал: