ossec email notification not working

[Daiyue Weng]

Hi, I installed ossec local on my cloud server, and configure ossec.conf as follows, I tried to detect new additions using <alert_new_files>yes</alert_new_files>.

<global>

     <email_notification>yes</email_notification>

     <email_to>my_e...@example.com</email_to>

     <smtp_server>ns0.bt.net.</smtp_server>

     <email_from>my_e...@example.com</email_from>

   </global>

<syscheck>

     <!-- Frequency that syscheck is executed - default to every 22 hours -->

     <frequency>79200</frequency>

     <alert_new_files>yes</alert_new_files>

     <!-- Directories to check  (perform all possible verifications) -->

     <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

     <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

     <directories report_changes="yes" realtime="yes" check_all="yes">/home/user_name</directories>

 </syscheck>

The local_rules.xml is like,

 <group name="local,syslog,">

    <!-- Note that rule id 5711 is defined at the ssh_rules file

      -  as a ssh failed login. This is just an example

      -  since ip 1.1.1.1 shouldn't be used anywhere.

      -  Level 0 means ignore.

      -->

    <rule id="100001" level="0">

      <if_sid>5711</if_sid>

      <srcip>1.1.1.1</srcip>

      <description>Example of rule that will ignore sshd </description>

      <description>failed logins from IP 1.1.1.1.</description>

    </rule>

    <rule id="554" level="7" overwrite="yes">

      <category>ossec</category>

      <decoded_as>syscheck_new_entry</decoded_as>

      <description>File added to the system.</description>

      <group>syscheck,</group>

    </rule>

</group> <!-- SYSLOG,LOCAL -->

Now, if I added a file in home/user_name, there is no email notification coming through the SMTP server. I am using smtp.bt.net, using

dig -t mx smtp.bt.net

to get the SMTP server. Whats the possible reasons that I am not getting the email?

Many thanks 

[dan (ddp)]

Are you getting emails for other alerts?
Are alerts being triggered for these new files?

> Many thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Daiyue Weng]

Hi, since it is a fresh install of ossec, so I didn't get any emails. The notification is turn on as 

<alert_new_files>yes</alert_new_files>

in ossec.conf

[dan (ddp)]

On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> Hi, since it is a fresh install of ossec, so I didn't get any emails. The
> notification is turn on as
>

Try using tcpdump (looking for connections to the email server from
the OSSEC system)
or check the maillogs on the email server to determine if there is an
error when sending.

[Daiyue Weng]

Hi, could you give me an example of using tcpdump in this case?

cheers

[dan (ddp)]

On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> Hi, could you give me an example of using tcpdump in this case?
>

tcpdump -nnXxevvs 0 port 25

[Daiyue Weng]

Using the above cmd, adding a file on a monitored directory, i.e. /home/user_name,

nothing is shown on tcpdump,

tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size 262144 bytes

[dan (ddp)]

On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> Using the above cmd, adding a file on a monitored directory, i.e.
> /home/user_name,
>
> nothing is shown on tcpdump,
>
> tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture size
> 262144 bytes
>
>

You can use "-i INTERFACE_NAME" to change the interface it listens on.
So make sure you're listening to the interface the emails should be sent from.
Did any alerts fire while you were using tcpdump (check
/var/ossec/logs/alerts/alerts.log).
If not, that'll be a problem.

[Daiyue Weng]

The /var/ossec/logs/alerts/alerts.log didn't show the addition of the file, no alerts fired after adding a file to /home/user_name, which is monitored by ossec. what's the possible problems?

[dan (ddp)]

On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng <daiyu...@gmail.com> wrote:
> The /var/ossec/logs/alerts/alerts.log didn't show the addition of the file,
> no alerts fired after adding a file to /home/user_name, which is monitored
> by ossec. what's the possible problems?
>

A syscheck scan probably hasn't run since the file was added (I don't
think it works with realtime).
Try running a syscheck scan to see if an alert is created.

[Daiyue Weng]

Hi, ideally we like ossec to check file integrity in real time, if not, what are the other options ossec can offer in that aspect?

Is there a Syscheck cmd in ossec? 

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng <daiyu...@gmail.com> wrote:
> Hi, ideally we like ossec to check file integrity in real time, if not, what
> are the other options ossec can offer in that aspect?
>

It will do some things in real time, not all. I think it should be a
fairly simple code change to add new files to the realtime options,
but I've never really looked into it.

> Is there a Syscheck cmd in ossec?
>

# /var/ossec/bin/agent_control -h

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i <id> Extracts information from an agent.
-R <id> Restarts agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u <id> Runs the integrity/rootkit checking on one agent now.

-b <ip> Blocks the specified ip address.
-f <ar> Used with -b, specifies which response to run.
-L List available active responses.
-s Changes the output to CSV (comma delimited).

>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[Daiyue Weng]

since I am running local-ossec, so agent_control doesn't do any good here?

>> > email to ossec-list+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Sep 6, 2016 6:32 AM, "Daiyue Weng" <daiyu...@gmail.com> wrote:
>
> since I am running local-ossec, so agent_control doesn't do any good here?
>

I'll install a local instance and try it out for you. I'll report back shortly.

>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> ossec-list+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

>> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <daiyu...@gmail.com> wrote:
>>
>> since I am running local-ossec, so agent_control doesn't do any good here?
>>
>
> I'll install a local instance and try it out for you. I'll report back
> shortly.
>

Not positive, but it doesn't look like it's working. I'm not keeping
it around for another try.
You may just have to restart the syscheckd process.

[Daiyue Weng]

I did try restarting ossec, which should restart syscheckd as well Iguess?

>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to a topic in the
>>> >> Google Groups "ossec-list" group.
>>> >> To unsubscribe from this topic, visit
>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> To unsubscribe from this group and all its topics, send an email to

>>> >> ossec-list+unsubscribe@googlegroups.com.

>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an

>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to

>>> ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 7:01 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> I did try restarting ossec, which should restart syscheckd as well Iguess?
>

Yes. You can see the log messages related to syscheck in
/var/ossec/logs/ossec.log.

[dan (ddp)]

On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Sep 6, 2016 6:32 AM, "Daiyue Weng" <daiyu...@gmail.com> wrote:
>>>
>>> since I am running local-ossec, so agent_control doesn't do any good here?
>>>
>>
>> I'll install a local instance and try it out for you. I'll report back
>> shortly.
>>
>
> Not positive, but it doesn't look like it's working. I'm not keeping
> it around for another try.
> You may just have to restart the syscheckd process.
>

It does look like this might be working, just had to have execd
running and have a bit more patience.

[Daiyue Weng]

Could you elaborate the steps you went through? How does it work?

>>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>>> >> > For more options, visit https://groups.google.com/d/optout.
>>>> >>
>>>> >> --
>>>> >>
>>>> >> ---
>>>> >> You received this message because you are subscribed to a topic in the
>>>> >> Google Groups "ossec-list" group.
>>>> >> To unsubscribe from this topic, visit
>>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>>> >> To unsubscribe from this group and all its topics, send an email to

>>>> >> ossec-list+unsubscribe@googlegroups.com.

>>>> >> For more options, visit https://groups.google.com/d/optout.
>>>> >
>>>> >
>>>> > --
>>>> >
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups
>>>> > "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send
>>>> > an

>>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "ossec-list" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>>> To unsubscribe from this group and all its topics, send an email to

>>>> ossec-list+unsubscribe@googlegroups.com.

>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an

>>> email to ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> Could you elaborate the steps you went through? How does it work?
>

Make sure active response is enabled.
run:
/var/ossec/bin/agent_control -r -u 000

Wait.

>> >>>> >> You received this message because you are subscribed to a topic in
>> >>>> >> the
>> >>>> >> Google Groups "ossec-list" group.
>> >>>> >> To unsubscribe from this topic, visit
>> >>>> >>
>> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>>> >> To unsubscribe from this group and all its topics, send an email
>> >>>> >> to

>> >>>> >> ossec-list+...@googlegroups.com.
>> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >>>> >
>> >>>> >
>> >>>> > --
>> >>>> >
>> >>>> > ---
>> >>>> > You received this message because you are subscribed to the Google
>> >>>> > Groups
>> >>>> > "ossec-list" group.
>> >>>> > To unsubscribe from this group and stop receiving emails from it,
>> >>>> > send
>> >>>> > an
>> >>>> > email to ossec-list+...@googlegroups.com.
>> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >>>>
>> >>>> --
>> >>>>
>> >>>> ---

>> >>>> You received this message because you are subscribed to a topic in
>> >>>> the
>> >>>> Google Groups "ossec-list" group.
>> >>>> To unsubscribe from this topic, visit
>> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>>> To unsubscribe from this group and all its topics, send an email to

>> >>>> ossec-list+...@googlegroups.com.
>> >>>> For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an
>> >>> email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[Daiyue Weng]

thanks, how to enable active response in ossec.conf? 

>> >>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>> >>>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>>> >>
>> >>>> >> --
>> >>>> >>
>> >>>> >> ---
>> >>>> >> You received this message because you are subscribed to a topic in
>> >>>> >> the
>> >>>> >> Google Groups "ossec-list" group.
>> >>>> >> To unsubscribe from this topic, visit
>> >>>> >>
>> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>>> >> To unsubscribe from this group and all its topics, send an email
>> >>>> >> to

>> >>>> >> ossec-list+unsubscribe@googlegroups.com.

>> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >>>> >
>> >>>> >
>> >>>> > --
>> >>>> >
>> >>>> > ---
>> >>>> > You received this message because you are subscribed to the Google
>> >>>> > Groups
>> >>>> > "ossec-list" group.
>> >>>> > To unsubscribe from this group and stop receiving emails from it,
>> >>>> > send
>> >>>> > an

>> >>>> > email to ossec-list+unsubscribe@googlegroups.com.

>> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >>>>
>> >>>> --
>> >>>>
>> >>>> ---
>> >>>> You received this message because you are subscribed to a topic in
>> >>>> the
>> >>>> Google Groups "ossec-list" group.
>> >>>> To unsubscribe from this topic, visit
>> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>>> To unsubscribe from this group and all its topics, send an email to

>> >>>> ossec-list+unsubscribe@googlegroups.com.

>> >>>> For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an

>> >>> email to ossec-list+unsubscribe@googlegroups.com.

>> >>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> thanks, how to enable active response in ossec.conf?
>

If it's disabled, delete that block. If it's not disabled, it should
be running (`ps auxww | grep ossec-execd`)

>> >> >>>> >> You received this message because you are subscribed to a topic
>> >> >>>> >> in
>> >> >>>> >> the
>> >> >>>> >> Google Groups "ossec-list" group.
>> >> >>>> >> To unsubscribe from this topic, visit
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >>>> >> To unsubscribe from this group and all its topics, send an
>> >> >>>> >> email
>> >> >>>> >> to

>> >> >>>> >> ossec-list+...@googlegroups.com.
>> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > --
>> >> >>>> >
>> >> >>>> > ---
>> >> >>>> > You received this message because you are subscribed to the
>> >> >>>> > Google
>> >> >>>> > Groups
>> >> >>>> > "ossec-list" group.
>> >> >>>> > To unsubscribe from this group and stop receiving emails from
>> >> >>>> > it,
>> >> >>>> > send
>> >> >>>> > an
>> >> >>>> > email to ossec-list+...@googlegroups.com.
>> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >> >>>>
>> >> >>>> --
>> >> >>>>
>> >> >>>> ---

>> >> >>>> You received this message because you are subscribed to a topic in
>> >> >>>> the
>> >> >>>> Google Groups "ossec-list" group.
>> >> >>>> To unsubscribe from this topic, visit
>> >> >>>>
>> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >>>> To unsubscribe from this group and all its topics, send an email
>> >> >>>> to

>> >> >>>> ossec-list+...@googlegroups.com.
>> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>>
>> >> >>> ---
>> >> >>> You received this message because you are subscribed to the Google
>> >> >>> Groups
>> >> >>> "ossec-list" group.
>> >> >>> To unsubscribe from this group and stop receiving emails from it,
>> >> >>> send
>> >> >>> an
>> >> >>> email to ossec-list+...@googlegroups.com.
>> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---

>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> ossec-list+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[Daiyue Weng]

This is what I did, 

1. restart ossec

2. running `ps auxww | grep ossec-execd`, execd is already running.

3. add an empty file in /home/user_name

4. running /var/ossec/bin/agent_control -r -u 000

5. checking alerts.log, no file addition log was shown.

I am using Arch Linux.

>> >> >>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>> >> >>>> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >>>> >>
>> >> >>>> >> --
>> >> >>>> >>
>> >> >>>> >> ---
>> >> >>>> >> You received this message because you are subscribed to a topic
>> >> >>>> >> in
>> >> >>>> >> the
>> >> >>>> >> Google Groups "ossec-list" group.
>> >> >>>> >> To unsubscribe from this topic, visit
>> >> >>>> >>
>> >> >>>> >>
>> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >>>> >> To unsubscribe from this group and all its topics, send an
>> >> >>>> >> email
>> >> >>>> >> to

>> >> >>>> >> ossec-list+unsubscribe@googlegroups.com.

>> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >> >>>> >
>> >> >>>> >
>> >> >>>> > --
>> >> >>>> >
>> >> >>>> > ---
>> >> >>>> > You received this message because you are subscribed to the
>> >> >>>> > Google
>> >> >>>> > Groups
>> >> >>>> > "ossec-list" group.
>> >> >>>> > To unsubscribe from this group and stop receiving emails from
>> >> >>>> > it,
>> >> >>>> > send
>> >> >>>> > an

>> >> >>>> > email to ossec-list+unsubscribe@googlegroups.com.

>> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >> >>>>
>> >> >>>> --
>> >> >>>>
>> >> >>>> ---
>> >> >>>> You received this message because you are subscribed to a topic in
>> >> >>>> the
>> >> >>>> Google Groups "ossec-list" group.
>> >> >>>> To unsubscribe from this topic, visit
>> >> >>>>
>> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >>>> To unsubscribe from this group and all its topics, send an email
>> >> >>>> to

>> >> >>>> ossec-list+unsubscribe@googlegroups.com.

>> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>>
>> >> >>> ---
>> >> >>> You received this message because you are subscribed to the Google
>> >> >>> Groups
>> >> >>> "ossec-list" group.
>> >> >>> To unsubscribe from this group and stop receiving emails from it,
>> >> >>> send
>> >> >>> an

>> >> >>> email to ossec-list+unsubscribe@googlegroups.com.

>> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> ossec-list+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to ossec-list+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[Daiyue Weng]

could you show me your ossec.conf and local_rules.xml?

[dan (ddp)]

On Tue, Sep 6, 2016 at 9:17 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> This is what I did,
>
> 1. restart ossec
>
> 2. running `ps auxww | grep ossec-execd`, execd is already running.
>
> 3. add an empty file in /home/user_name
>
> 4. running /var/ossec/bin/agent_control -r -u 000
>
> 5. checking alerts.log, no file addition log was shown.
>
> I am using Arch Linux.
>

OSSEC 2.8.3?

>> >> >> >>>> >> You received this message because you are subscribed to a
>> >> >> >>>> >> topic
>> >> >> >>>> >> in
>> >> >> >>>> >> the
>> >> >> >>>> >> Google Groups "ossec-list" group.
>> >> >> >>>> >> To unsubscribe from this topic, visit
>> >> >> >>>> >>
>> >> >> >>>> >>
>> >> >> >>>> >>
>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> >>>> >> To unsubscribe from this group and all its topics, send an
>> >> >> >>>> >> email
>> >> >> >>>> >> to

>> >> >> >>>> >> ossec-list+...@googlegroups.com.
>> >> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>> >
>> >> >> >>>> >
>> >> >> >>>> > --
>> >> >> >>>> >
>> >> >> >>>> > ---
>> >> >> >>>> > You received this message because you are subscribed to the
>> >> >> >>>> > Google
>> >> >> >>>> > Groups
>> >> >> >>>> > "ossec-list" group.
>> >> >> >>>> > To unsubscribe from this group and stop receiving emails from
>> >> >> >>>> > it,
>> >> >> >>>> > send
>> >> >> >>>> > an
>> >> >> >>>> > email to ossec-list+...@googlegroups.com.
>> >> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>>
>> >> >> >>>> --
>> >> >> >>>>
>> >> >> >>>> ---

>> >> >> >>>> You received this message because you are subscribed to a topic
>> >> >> >>>> in
>> >> >> >>>> the
>> >> >> >>>> Google Groups "ossec-list" group.
>> >> >> >>>> To unsubscribe from this topic, visit
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>> >> >> >>>> email
>> >> >> >>>> to

>> >> >> >>>> ossec-list+...@googlegroups.com.
>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>>
>> >> >> >>> ---
>> >> >> >>> You received this message because you are subscribed to the
>> >> >> >>> Google
>> >> >> >>> Groups
>> >> >> >>> "ossec-list" group.
>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>> >> >> >>> it,
>> >> >> >>> send
>> >> >> >>> an
>> >> >> >>> email to ossec-list+...@googlegroups.com.
>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >> >>
>> >> >> --
>> >> >>
>> >> >> ---

>> >> >> You received this message because you are subscribed to a topic in
>> >> >> the
>> >> >> Google Groups "ossec-list" group.
>> >> >> To unsubscribe from this topic, visit
>> >> >>
>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> To unsubscribe from this group and all its topics, send an email to

>> >> >> ossec-list+...@googlegroups.com.
>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---

>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> ossec-list+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[Daiyue Weng]

yes, ossec 2.8.3

>> >> >> >>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>> >> >> >>>> >> > For more options, visit
>> >> >> >>>> >> > https://groups.google.com/d/optout.
>> >> >> >>>> >>
>> >> >> >>>> >> --
>> >> >> >>>> >>
>> >> >> >>>> >> ---
>> >> >> >>>> >> You received this message because you are subscribed to a
>> >> >> >>>> >> topic
>> >> >> >>>> >> in
>> >> >> >>>> >> the
>> >> >> >>>> >> Google Groups "ossec-list" group.
>> >> >> >>>> >> To unsubscribe from this topic, visit
>> >> >> >>>> >>
>> >> >> >>>> >>
>> >> >> >>>> >>
>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> >>>> >> To unsubscribe from this group and all its topics, send an
>> >> >> >>>> >> email
>> >> >> >>>> >> to

>> >> >> >>>> >> ossec-list+unsubscribe@googlegroups.com.

>> >> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>> >
>> >> >> >>>> >
>> >> >> >>>> > --
>> >> >> >>>> >
>> >> >> >>>> > ---
>> >> >> >>>> > You received this message because you are subscribed to the
>> >> >> >>>> > Google
>> >> >> >>>> > Groups
>> >> >> >>>> > "ossec-list" group.
>> >> >> >>>> > To unsubscribe from this group and stop receiving emails from
>> >> >> >>>> > it,
>> >> >> >>>> > send
>> >> >> >>>> > an

>> >> >> >>>> > email to ossec-list+unsubscribe@googlegroups.com.

>> >> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>>
>> >> >> >>>> --
>> >> >> >>>>
>> >> >> >>>> ---
>> >> >> >>>> You received this message because you are subscribed to a topic
>> >> >> >>>> in
>> >> >> >>>> the
>> >> >> >>>> Google Groups "ossec-list" group.
>> >> >> >>>> To unsubscribe from this topic, visit
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>> >> >> >>>> email
>> >> >> >>>> to

>> >> >> >>>> ossec-list+unsubscribe@googlegroups.com.

>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>>
>> >> >> >>> ---
>> >> >> >>> You received this message because you are subscribed to the
>> >> >> >>> Google
>> >> >> >>> Groups
>> >> >> >>> "ossec-list" group.
>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>> >> >> >>> it,
>> >> >> >>> send
>> >> >> >>> an

>> >> >> >>> email to ossec-list+unsubscribe@googlegroups.com.

>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >> >>
>> >> >> --
>> >> >>
>> >> >> ---
>> >> >> You received this message because you are subscribed to a topic in
>> >> >> the
>> >> >> Google Groups "ossec-list" group.
>> >> >> To unsubscribe from this topic, visit
>> >> >>
>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> >> To unsubscribe from this group and all its topics, send an email to

>> >> >> ossec-list+unsubscribe@googlegroups.com.

>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an

>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> ossec-list+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to ossec-list+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> could you show me your ossec.conf and local_rules.xml?
>

This is for one of my servers. Probably not what I'll be testing with though.
ossec.conf:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>d...@ix.example.com</email_to>
<smtp_server>192.168.17.9</smtp_server>
<!--<smtp_server>/usr/bin/msmtp -v --timeout 20 -f
"os...@earth.example.com" -t</smtp_server>-->
<email_from>ossecm@earth</email_from>
</global>

<database_output>
<hostname>127.0.0.1</hostname>
<username>ossecuser</username>
<password>TGmmxNsh5TNrKTy8</password>
<database>ossec</database>
<type>mysql</type>
</database_output>

<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>

<auto_ignore>no</auto_ignore>

<!-- Directories to check (perform all possible verifications) -->

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes" realtime="yes">/var/test</directories>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>

<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>

<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>

<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>192.168.17.17</white_list>
<white_list>192.168.17.9</white_list>
<white_list>192.168.18.1</white_list>
</global>

<remote>
<connection>secure</connection>
</remote>

<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>

<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>


<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<!-- Files to monitor (localfiles) -->

<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>

<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>

<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
</ossec_config>

<ossec_config> <!-- rules global entry -->
<rules>
<!--<decoder>etc/decoder.xml</decoder>-->
<decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir>
<include>rules_config.xml</include>
<!--
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
-->
<rule_dir pattern=".xml$">rules/rules.d</rule_dir>
<!--<include>local_rules.xml</include>-->
</rules>
</ossec_config> <!-- rules global entry -->

local_rules.xml:
<!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $

- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->


<!-- Modify it at your will. -->

<group name="local,syslog,">

<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>

<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>

<description>Example of rule that will ignore sshd </description>

<description>failed logins for user XYZABC.</description>
</rule>
-->


<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->

<rule id="700007" level="10">
<match>^TEST TEST TEST</match>
<description>test test test</description>
<group>test,</group>
</rule>


<rule id="710001" level="0">
<program_name>^collectd</program_name>
<description>collectd collected.</description>
</rule>

<rule id="710002" level="0">
<if_sid>710001</if_sid>
<match>illegal attempt to update using time</match>
<description>Ignore collectd time issues.</description>
</rule>

<rule id="710003" level="0">
<if_sid>710001</if_sid>
<match>uc_update: Value too old: name</match>
<description>ignore collectd valu eerror.</description>
</rule>

<rule id="711001" level="0">
<program_name>^nsd</program_name>
<description>nsd grouping.</description>
</rule>

<rule id="711002" level="0">
<if_sid>711001</if_sid>
<match>failed reading from </match>
<description>nsd connection failed.</description>
</rule>

<rule id="712001" level="0">
<program_name>^ngircd</program_name>
<description>ngircd grouping.</description>
</rule>

<rule id="712002" level="0">
<if_sid>712001</if_sid>
<match>Shutting down connection</match>
<description>ngircd shutting down connection.</description>
</rule>

<rule id="712003" level="0">
<if_sid>712001</if_sid>
<match>Client unregistered</match>
<description>ngircd client unregistered.</description>
</rule>

<rule id="1003" level="13" maxsize="4096" overwrite="yes">
<description>Non standard syslog message (size too large).</description>

>>> >> >> >>>> >> You received this message because you are subscribed to a
>>> >> >> >>>> >> topic
>>> >> >> >>>> >> in
>>> >> >> >>>> >> the
>>> >> >> >>>> >> Google Groups "ossec-list" group.
>>> >> >> >>>> >> To unsubscribe from this topic, visit
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> >> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> >> email
>>> >> >> >>>> >> to

>>> >> >> >>>> >> ossec-list+...@googlegroups.com.
>>> >> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>> >
>>> >> >> >>>> >
>>> >> >> >>>> > --
>>> >> >> >>>> >
>>> >> >> >>>> > ---
>>> >> >> >>>> > You received this message because you are subscribed to the
>>> >> >> >>>> > Google
>>> >> >> >>>> > Groups
>>> >> >> >>>> > "ossec-list" group.
>>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>>> >> >> >>>> > from
>>> >> >> >>>> > it,
>>> >> >> >>>> > send
>>> >> >> >>>> > an
>>> >> >> >>>> > email to ossec-list+...@googlegroups.com.
>>> >> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>>
>>> >> >> >>>> ---

>>> >> >> >>>> You received this message because you are subscribed to a
>>> >> >> >>>> topic in
>>> >> >> >>>> the
>>> >> >> >>>> Google Groups "ossec-list" group.
>>> >> >> >>>> To unsubscribe from this topic, visit
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> email
>>> >> >> >>>> to

>>> >> >> >>>> ossec-list+...@googlegroups.com.
>>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>>
>>> >> >> >>> ---
>>> >> >> >>> You received this message because you are subscribed to the
>>> >> >> >>> Google
>>> >> >> >>> Groups
>>> >> >> >>> "ossec-list" group.
>>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>>> >> >> >>> it,
>>> >> >> >>> send
>>> >> >> >>> an
>>> >> >> >>> email to ossec-list+...@googlegroups.com.
>>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >> >>
>>> >> >> --
>>> >> >>
>>> >> >> ---

>>> >> >> You received this message because you are subscribed to a topic in
>>> >> >> the
>>> >> >> Google Groups "ossec-list" group.
>>> >> >> To unsubscribe from this topic, visit
>>> >> >>
>>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> To unsubscribe from this group and all its topics, send an email to

>>> >> >> ossec-list+...@googlegroups.com.
>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> >> > send
>>> >> > an
>>> >> > email to ossec-list+...@googlegroups.com.
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---

>>> >> You received this message because you are subscribed to a topic in the
>>> >> Google Groups "ossec-list" group.
>>> >> To unsubscribe from this topic, visit
>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> To unsubscribe from this group and all its topics, send an email to

>>> >> ossec-list+...@googlegroups.com.
>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---

>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to

[Daiyue Weng]

whats the ossec version that you tested with, and how did you configure ossec.conf and local.xml?

I don't know which bit that I missed in the configuration.

>>> >> >> >>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >> >> >>>> >> > For more options, visit
>>> >> >> >>>> >> > https://groups.google.com/d/optout.
>>> >> >> >>>> >>
>>> >> >> >>>> >> --
>>> >> >> >>>> >>
>>> >> >> >>>> >> ---
>>> >> >> >>>> >> You received this message because you are subscribed to a
>>> >> >> >>>> >> topic
>>> >> >> >>>> >> in
>>> >> >> >>>> >> the
>>> >> >> >>>> >> Google Groups "ossec-list" group.
>>> >> >> >>>> >> To unsubscribe from this topic, visit
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >>
>>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> >> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> >> email
>>> >> >> >>>> >> to

>>> >> >> >>>> >> ossec-list+unsubscribe@googlegroups.com.

>>> >> >> >>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>> >
>>> >> >> >>>> >
>>> >> >> >>>> > --
>>> >> >> >>>> >
>>> >> >> >>>> > ---
>>> >> >> >>>> > You received this message because you are subscribed to the
>>> >> >> >>>> > Google
>>> >> >> >>>> > Groups
>>> >> >> >>>> > "ossec-list" group.
>>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>>> >> >> >>>> > from
>>> >> >> >>>> > it,
>>> >> >> >>>> > send
>>> >> >> >>>> > an

>>> >> >> >>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >> >> >>>> > For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>>
>>> >> >> >>>> ---
>>> >> >> >>>> You received this message because you are subscribed to a
>>> >> >> >>>> topic in
>>> >> >> >>>> the
>>> >> >> >>>> Google Groups "ossec-list" group.
>>> >> >> >>>> To unsubscribe from this topic, visit
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>>> >> >> >>>> email
>>> >> >> >>>> to

>>> >> >> >>>> ossec-list+unsubscribe@googlegroups.com.

>>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>>
>>> >> >> >>> ---
>>> >> >> >>> You received this message because you are subscribed to the
>>> >> >> >>> Google
>>> >> >> >>> Groups
>>> >> >> >>> "ossec-list" group.
>>> >> >> >>> To unsubscribe from this group and stop receiving emails from
>>> >> >> >>> it,
>>> >> >> >>> send
>>> >> >> >>> an

>>> >> >> >>> email to ossec-list+unsubscribe@googlegroups.com.

>>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >> >>
>>> >> >> --
>>> >> >>
>>> >> >> ---
>>> >> >> You received this message because you are subscribed to a topic in
>>> >> >> the
>>> >> >> Google Groups "ossec-list" group.
>>> >> >> To unsubscribe from this topic, visit
>>> >> >>
>>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> >> To unsubscribe from this group and all its topics, send an email to

>>> >> >> ossec-list+unsubscribe@googlegroups.com.

>>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >> >
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> >> > send
>>> >> > an

>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to a topic in the
>>> >> Google Groups "ossec-list" group.
>>> >> To unsubscribe from this topic, visit
>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >> To unsubscribe from this group and all its topics, send an email to

>>> >> ossec-list+unsubscribe@googlegroups.com.

>>> >> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an

>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to

>>> ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Tue, Sep 6, 2016 at 9:47 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
> whats the ossec version that you tested with, and how did you configure
> ossec.conf and local.xml?
>

All I've tested (in relation to this) is that agent_control did something.
I have in the past tested alert_new_files and realtime, but I can't
say I've tested them recently.

I'm working on this as fast as I can.

>> >>> >> >> >>>> >> a
>> >>> >> >> >>>> >> topic
>> >>> >> >> >>>> >> in
>> >>> >> >> >>>> >> the
>> >>> >> >> >>>> >> Google Groups "ossec-list" group.
>> >>> >> >> >>>> >> To unsubscribe from this topic, visit
>> >>> >> >> >>>> >>
>> >>> >> >> >>>> >>
>> >>> >> >> >>>> >>
>> >>> >> >> >>>> >>
>> >>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >> >> >>>> >> To unsubscribe from this group and all its topics, send
>> >>> >> >> >>>> >> an
>> >>> >> >> >>>> >> email
>> >>> >> >> >>>> >> to

>> >>> >> >> >>>> >> ossec-list+...@googlegroups.com.
>> >>> >> >> >>>> >> For more options, visit
>> >>> >> >> >>>> >> https://groups.google.com/d/optout.
>> >>> >> >> >>>> >
>> >>> >> >> >>>> >
>> >>> >> >> >>>> > --
>> >>> >> >> >>>> >
>> >>> >> >> >>>> > ---
>> >>> >> >> >>>> > You received this message because you are subscribed to
>> >>> >> >> >>>> > the
>> >>> >> >> >>>> > Google
>> >>> >> >> >>>> > Groups
>> >>> >> >> >>>> > "ossec-list" group.
>> >>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>> >>> >> >> >>>> > from
>> >>> >> >> >>>> > it,
>> >>> >> >> >>>> > send
>> >>> >> >> >>>> > an
>> >>> >> >> >>>> > email to ossec-list+...@googlegroups.com.
>> >>> >> >> >>>> > For more options, visit
>> >>> >> >> >>>> > https://groups.google.com/d/optout.
>> >>> >> >> >>>>
>> >>> >> >> >>>> --
>> >>> >> >> >>>>
>> >>> >> >> >>>> ---

>> >>> >> >> >>>> You received this message because you are subscribed to a
>> >>> >> >> >>>> topic in
>> >>> >> >> >>>> the
>> >>> >> >> >>>> Google Groups "ossec-list" group.
>> >>> >> >> >>>> To unsubscribe from this topic, visit
>> >>> >> >> >>>>
>> >>> >> >> >>>>
>> >>> >> >> >>>>
>> >>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>> >>> >> >> >>>> email
>> >>> >> >> >>>> to

>> >>> >> >> >>>> ossec-list+...@googlegroups.com.
>> >>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >>> >> >> >>>
>> >>> >> >> >>>
>> >>> >> >> >>> --
>> >>> >> >> >>>
>> >>> >> >> >>> ---
>> >>> >> >> >>> You received this message because you are subscribed to the
>> >>> >> >> >>> Google
>> >>> >> >> >>> Groups
>> >>> >> >> >>> "ossec-list" group.
>> >>> >> >> >>> To unsubscribe from this group and stop receiving emails
>> >>> >> >> >>> from
>> >>> >> >> >>> it,
>> >>> >> >> >>> send
>> >>> >> >> >>> an
>> >>> >> >> >>> email to ossec-list+...@googlegroups.com.
>> >>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >>> >> >>
>> >>> >> >> --
>> >>> >> >>
>> >>> >> >> ---

>> >>> >> >> You received this message because you are subscribed to a topic
>> >>> >> >> in
>> >>> >> >> the
>> >>> >> >> Google Groups "ossec-list" group.
>> >>> >> >> To unsubscribe from this topic, visit
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >> >> To unsubscribe from this group and all its topics, send an email
>> >>> >> >> to

>> >>> >> >> ossec-list+...@googlegroups.com.
>> >>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >>> >> >
>> >>> >> >
>> >>> >> > --
>> >>> >> >
>> >>> >> > ---
>> >>> >> > You received this message because you are subscribed to the
>> >>> >> > Google
>> >>> >> > Groups
>> >>> >> > "ossec-list" group.
>> >>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >>> >> > send
>> >>> >> > an
>> >>> >> > email to ossec-list+...@googlegroups.com.
>> >>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>> >>
>> >>> >> --
>> >>> >>
>> >>> >> ---

>> >>> >> You received this message because you are subscribed to a topic in
>> >>> >> the
>> >>> >> Google Groups "ossec-list" group.
>> >>> >> To unsubscribe from this topic, visit
>> >>> >>
>> >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >> To unsubscribe from this group and all its topics, send an email to

>> >>> >> ossec-list+...@googlegroups.com.
>> >>> >> For more options, visit https://groups.google.com/d/optout.
>> >>> >
>> >>> >
>> >>> > --
>> >>> >
>> >>> > ---
>> >>> > You received this message because you are subscribed to the Google
>> >>> > Groups
>> >>> > "ossec-list" group.
>> >>> > To unsubscribe from this group and stop receiving emails from it,
>> >>> > send
>> >>> > an
>> >>> > email to ossec-list+...@googlegroups.com.
>> >>> > For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---

>> >>> You received this message because you are subscribed to a topic in the
>> >>> Google Groups "ossec-list" group.
>> >>> To unsubscribe from this topic, visit
>> >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> To unsubscribe from this group and all its topics, send an email to

>> >>> ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

[dan (ddp)]

On Tue, Sep 6, 2016 at 9:51 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Sep 6, 2016 at 9:47 AM, Daiyue Weng <daiyu...@gmail.com> wrote:
>> whats the ossec version that you tested with, and how did you configure
>> ossec.conf and local.xml?
>>
>

I have just tested this with OSSEC 2.8.3 on Ubuntu 14.whatever LTS. I
believe everything not shown below is at the defaults.

I added /var/test/four and kicked off a scan (restarted the OSSEC
processes because I modified rule 554):
####################################################

alerts.log:
** Alert 1473171543.1836: mail - ossec,
2016 Sep 06 14:19:03 test2->ossec-monitord
Rule: 502 (level 3) -> 'Ossec server started.'
ossec: Ossec started.

** Alert 1473171599.1990: mail - local,syslog,syscheck,
2016 Sep 06 14:19:59 test2->syscheck
Rule: 554 (level 10) -> 'File added to the system.'
New file '/var/test/four' added to the file system.

#####################################################

/var/ossec/queue/syscheck/syscheck:
+++0:33188:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709
!1473171599 /var/test/four

#####################################################

ossec.conf:

<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<alert_new_files>yes</alert_new_files>

<!-- Directories to check (perform all possible verifications) -->

<directories check_all="yes">/var/test</directories>

#####################################################

local_rules.xml:

<rule id="554" level="10" overwrite="yes">

<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

#####################################################

Adding realtime into the mix gives me:

#####################################################

ossec.conf:

<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<alert_new_files>yes</alert_new_files>

<!-- Directories to check (perform all possible verifications) -->

<directories check_all="yes" realtime="yes">/var/test</directories>

#####################################################

alerts.log:

** Alert 1473171866.2189: mail - ossec,
2016 Sep 06 14:24:26 test2->ossec-monitord
Rule: 502 (level 3) -> 'Ossec server started.'
ossec: Ossec started.

** Alert 1473171922.2343: mail - local,syslog,syscheck,
2016 Sep 06 14:25:22 test2->syscheck
Rule: 554 (level 10) -> 'File added to the system.'
New file '/var/test/five' added to the file system.

#####################################################

syscheck db:

+++0:33188:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709
!1473171922 /var/test/five

#####################################################

[Daiyue Weng]

Hi, it seems that alerts.log will only show file been deleted in /home/user_name, very strange.

I will just have to uninstall ossec-local, and install ossec-server and ossec-agent.

Any proper way to uninstall ossec?

cheers

>>> >>> >> >> >>>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> >>>> >> > For more options, visit
>>> >>> >> >> >>>> >> > https://groups.google.com/d/optout.
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >> --
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >> ---
>>> >>> >> >> >>>> >> You received this message because you are subscribed to
>>> >>> >> >> >>>> >> a
>>> >>> >> >> >>>> >> topic
>>> >>> >> >> >>>> >> in
>>> >>> >> >> >>>> >> the
>>> >>> >> >> >>>> >> Google Groups "ossec-list" group.
>>> >>> >> >> >>>> >> To unsubscribe from this topic, visit
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >>
>>> >>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >>> >> >> >>>> >> To unsubscribe from this group and all its topics, send
>>> >>> >> >> >>>> >> an
>>> >>> >> >> >>>> >> email
>>> >>> >> >> >>>> >> to

>>> >>> >> >> >>>> >> ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> >>>> >> For more options, visit
>>> >>> >> >> >>>> >> https://groups.google.com/d/optout.
>>> >>> >> >> >>>> >
>>> >>> >> >> >>>> >
>>> >>> >> >> >>>> > --
>>> >>> >> >> >>>> >
>>> >>> >> >> >>>> > ---
>>> >>> >> >> >>>> > You received this message because you are subscribed to
>>> >>> >> >> >>>> > the
>>> >>> >> >> >>>> > Google
>>> >>> >> >> >>>> > Groups
>>> >>> >> >> >>>> > "ossec-list" group.
>>> >>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>>> >>> >> >> >>>> > from
>>> >>> >> >> >>>> > it,
>>> >>> >> >> >>>> > send
>>> >>> >> >> >>>> > an

>>> >>> >> >> >>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> >>>> > For more options, visit
>>> >>> >> >> >>>> > https://groups.google.com/d/optout.
>>> >>> >> >> >>>>
>>> >>> >> >> >>>> --
>>> >>> >> >> >>>>
>>> >>> >> >> >>>> ---
>>> >>> >> >> >>>> You received this message because you are subscribed to a
>>> >>> >> >> >>>> topic in
>>> >>> >> >> >>>> the
>>> >>> >> >> >>>> Google Groups "ossec-list" group.
>>> >>> >> >> >>>> To unsubscribe from this topic, visit
>>> >>> >> >> >>>>
>>> >>> >> >> >>>>
>>> >>> >> >> >>>>
>>> >>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>>> >>> >> >> >>>> email
>>> >>> >> >> >>>> to

>>> >>> >> >> >>>> ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>>> >>> >> >> >>>
>>> >>> >> >> >>>
>>> >>> >> >> >>> --
>>> >>> >> >> >>>
>>> >>> >> >> >>> ---
>>> >>> >> >> >>> You received this message because you are subscribed to the
>>> >>> >> >> >>> Google
>>> >>> >> >> >>> Groups
>>> >>> >> >> >>> "ossec-list" group.
>>> >>> >> >> >>> To unsubscribe from this group and stop receiving emails
>>> >>> >> >> >>> from
>>> >>> >> >> >>> it,
>>> >>> >> >> >>> send
>>> >>> >> >> >>> an

>>> >>> >> >> >>> email to ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>>> >>> >> >>
>>> >>> >> >> --
>>> >>> >> >>
>>> >>> >> >> ---
>>> >>> >> >> You received this message because you are subscribed to a topic
>>> >>> >> >> in
>>> >>> >> >> the
>>> >>> >> >> Google Groups "ossec-list" group.
>>> >>> >> >> To unsubscribe from this topic, visit
>>> >>> >> >>
>>> >>> >> >>
>>> >>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >>> >> >> To unsubscribe from this group and all its topics, send an email
>>> >>> >> >> to

>>> >>> >> >> ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> >> For more options, visit https://groups.google.com/d/optout.
>>> >>> >> >
>>> >>> >> >
>>> >>> >> > --
>>> >>> >> >
>>> >>> >> > ---
>>> >>> >> > You received this message because you are subscribed to the
>>> >>> >> > Google
>>> >>> >> > Groups
>>> >>> >> > "ossec-list" group.
>>> >>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> >>> >> > send
>>> >>> >> > an

>>> >>> >> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >>> >>
>>> >>> >> --
>>> >>> >>
>>> >>> >> ---
>>> >>> >> You received this message because you are subscribed to a topic in
>>> >>> >> the
>>> >>> >> Google Groups "ossec-list" group.
>>> >>> >> To unsubscribe from this topic, visit
>>> >>> >>
>>> >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >>> >> To unsubscribe from this group and all its topics, send an email to

>>> >>> >> ossec-list+unsubscribe@googlegroups.com.

>>> >>> >> For more options, visit https://groups.google.com/d/optout.
>>> >>> >
>>> >>> >
>>> >>> > --
>>> >>> >
>>> >>> > ---
>>> >>> > You received this message because you are subscribed to the Google
>>> >>> > Groups
>>> >>> > "ossec-list" group.
>>> >>> > To unsubscribe from this group and stop receiving emails from it,
>>> >>> > send
>>> >>> > an

>>> >>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> >>> > For more options, visit https://groups.google.com/d/optout.
>>> >>>
>>> >>> --
>>> >>>
>>> >>> ---
>>> >>> You received this message because you are subscribed to a topic in the
>>> >>> Google Groups "ossec-list" group.
>>> >>> To unsubscribe from this topic, visit
>>> >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> >>> To unsubscribe from this group and all its topics, send an email to

>>> >>> ossec-list+unsubscribe@googlegroups.com.

>>> >>> For more options, visit https://groups.google.com/d/optout.
>>> >>
>>> >>
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an

>>> > email to ossec-list+unsubscribe@googlegroups.com.

>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to

>>> ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Sep 7, 2016 4:38 AM, "Daiyue Weng" <daiyu...@gmail.com> wrote:
>
> Hi, it seems that alerts.log will only show file been deleted in /home/user_name, very strange.
>
> I will just have to uninstall ossec-local, and install ossec-server and ossec-agent.
>
> Any proper way to uninstall ossec?
>

Stop tue processes and then rm -rf

>> >>> >>> >> >> >>>> >> a
>> >>> >>> >> >> >>>> >> topic
>> >>> >>> >> >> >>>> >> in
>> >>> >>> >> >> >>>> >> the
>> >>> >>> >> >> >>>> >> Google Groups "ossec-list" group.
>> >>> >>> >> >> >>>> >> To unsubscribe from this topic, visit
>> >>> >>> >> >> >>>> >>
>> >>> >>> >> >> >>>> >>
>> >>> >>> >> >> >>>> >>
>> >>> >>> >> >> >>>> >>
>> >>> >>> >> >> >>>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >>> >> >> >>>> >> To unsubscribe from this group and all its topics, send
>> >>> >>> >> >> >>>> >> an
>> >>> >>> >> >> >>>> >> email
>> >>> >>> >> >> >>>> >> to

>> >>> >>> >> >> >>>> >> ossec-list+...@googlegroups.com.
>> >>> >>> >> >> >>>> >> For more options, visit
>> >>> >>> >> >> >>>> >> https://groups.google.com/d/optout.
>> >>> >>> >> >> >>>> >
>> >>> >>> >> >> >>>> >
>> >>> >>> >> >> >>>> > --
>> >>> >>> >> >> >>>> >
>> >>> >>> >> >> >>>> > ---
>> >>> >>> >> >> >>>> > You received this message because you are subscribed to
>> >>> >>> >> >> >>>> > the
>> >>> >>> >> >> >>>> > Google
>> >>> >>> >> >> >>>> > Groups
>> >>> >>> >> >> >>>> > "ossec-list" group.
>> >>> >>> >> >> >>>> > To unsubscribe from this group and stop receiving emails
>> >>> >>> >> >> >>>> > from
>> >>> >>> >> >> >>>> > it,
>> >>> >>> >> >> >>>> > send
>> >>> >>> >> >> >>>> > an
>> >>> >>> >> >> >>>> > email to ossec-list+...@googlegroups.com.
>> >>> >>> >> >> >>>> > For more options, visit
>> >>> >>> >> >> >>>> > https://groups.google.com/d/optout.
>> >>> >>> >> >> >>>>
>> >>> >>> >> >> >>>> --
>> >>> >>> >> >> >>>>
>> >>> >>> >> >> >>>> ---

>> >>> >>> >> >> >>>> You received this message because you are subscribed to a

>> >>> >>> >> >> >>>> topic in
>> >>> >>> >> >> >>>> the
>> >>> >>> >> >> >>>> Google Groups "ossec-list" group.
>> >>> >>> >> >> >>>> To unsubscribe from this topic, visit
>> >>> >>> >> >> >>>>
>> >>> >>> >> >> >>>>
>> >>> >>> >> >> >>>>
>> >>> >>> >> >> >>>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >>> >> >> >>>> To unsubscribe from this group and all its topics, send an
>> >>> >>> >> >> >>>> email
>> >>> >>> >> >> >>>> to

>> >>> >>> >> >> >>>> ossec-list+...@googlegroups.com.
>> >>> >>> >> >> >>>> For more options, visit https://groups.google.com/d/optout.
>> >>> >>> >> >> >>>
>> >>> >>> >> >> >>>
>> >>> >>> >> >> >>> --
>> >>> >>> >> >> >>>
>> >>> >>> >> >> >>> ---
>> >>> >>> >> >> >>> You received this message because you are subscribed to the
>> >>> >>> >> >> >>> Google
>> >>> >>> >> >> >>> Groups
>> >>> >>> >> >> >>> "ossec-list" group.
>> >>> >>> >> >> >>> To unsubscribe from this group and stop receiving emails
>> >>> >>> >> >> >>> from
>> >>> >>> >> >> >>> it,
>> >>> >>> >> >> >>> send
>> >>> >>> >> >> >>> an
>> >>> >>> >> >> >>> email to ossec-list+...@googlegroups.com.
>> >>> >>> >> >> >>> For more options, visit https://groups.google.com/d/optout.
>> >>> >>> >> >>
>> >>> >>> >> >> --
>> >>> >>> >> >>
>> >>> >>> >> >> ---

>> >>> >>> >> >> You received this message because you are subscribed to a topic

>> >>> >>> >> >> in
>> >>> >>> >> >> the
>> >>> >>> >> >> Google Groups "ossec-list" group.
>> >>> >>> >> >> To unsubscribe from this topic, visit
>> >>> >>> >> >>
>> >>> >>> >> >>
>> >>> >>> >> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >>> >> >> To unsubscribe from this group and all its topics, send an email
>> >>> >>> >> >> to

>> >>> >>> >> >> ossec-list+...@googlegroups.com.
>> >>> >>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >>> >>> >> >
>> >>> >>> >> >
>> >>> >>> >> > --
>> >>> >>> >> >
>> >>> >>> >> > ---
>> >>> >>> >> > You received this message because you are subscribed to the
>> >>> >>> >> > Google
>> >>> >>> >> > Groups
>> >>> >>> >> > "ossec-list" group.
>> >>> >>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >>> >>> >> > send
>> >>> >>> >> > an
>> >>> >>> >> > email to ossec-list+...@googlegroups.com.
>> >>> >>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>> >>> >>
>> >>> >>> >> --
>> >>> >>> >>
>> >>> >>> >> ---

>> >>> >>> >> You received this message because you are subscribed to a topic in

>> >>> >>> >> the
>> >>> >>> >> Google Groups "ossec-list" group.
>> >>> >>> >> To unsubscribe from this topic, visit
>> >>> >>> >>
>> >>> >>> >> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >>> >> To unsubscribe from this group and all its topics, send an email to

>> >>> >>> >> ossec-list+...@googlegroups.com.
>> >>> >>> >> For more options, visit https://groups.google.com/d/optout.
>> >>> >>> >
>> >>> >>> >
>> >>> >>> > --
>> >>> >>> >
>> >>> >>> > ---
>> >>> >>> > You received this message because you are subscribed to the Google
>> >>> >>> > Groups
>> >>> >>> > "ossec-list" group.
>> >>> >>> > To unsubscribe from this group and stop receiving emails from it,
>> >>> >>> > send
>> >>> >>> > an
>> >>> >>> > email to ossec-list+...@googlegroups.com.
>> >>> >>> > For more options, visit https://groups.google.com/d/optout.
>> >>> >>>
>> >>> >>> --
>> >>> >>>
>> >>> >>> ---

>> >>> >>> You received this message because you are subscribed to a topic in the

>> >>> >>> Google Groups "ossec-list" group.
>> >>> >>> To unsubscribe from this topic, visit
>> >>> >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> >>> To unsubscribe from this group and all its topics, send an email to

>> >>> >>> ossec-list+...@googlegroups.com.
>> >>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>> >>
>> >>> >>
>> >>> >
>> >>> > --
>> >>> >
>> >>> > ---
>> >>> > You received this message because you are subscribed to the Google
>> >>> > Groups
>> >>> > "ossec-list" group.
>> >>> > To unsubscribe from this group and stop receiving emails from it, send
>> >>> > an
>> >>> > email to ossec-list+...@googlegroups.com.
>> >>> > For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---

>> >>> You received this message because you are subscribed to a topic in the

>> >>> Google Groups "ossec-list" group.
>> >>> To unsubscribe from this topic, visit
>> >>> https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.
>> >>> To unsubscribe from this group and all its topics, send an email to

>> >>> ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an
>> >> email to ossec-list+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---

>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.

>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fknE75We_dw/unsubscribe.

>> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.