Integrity Checking Issue on Windows Server 2012 R2 with OSSEC 2.8.3

183 views
Skip to first unread message

Keith

unread,
Nov 11, 2016, 10:41:13 AM11/11/16
to ossec-list
I have a new OSSEC install on a 2012r2 box and have set up on directory I need to monitor in realtime for any changes or modifications to this one specific folder. It does not  appear to be working so any suggestions on this would be appreciated. Here is the config from the client side 2012r2 server:

    <directories check_all="yes" realtime="yes" report_changes="yes">C:\LIS_Global_Import</directories>

Once I added this, I restarted the agent then forced the updated on the server side:

# ./agent_control -r -u 019

I added to files into the directory being monitored and nothing, no alert, no email, nada..

# ./syscheck_control -i 019

Integrity changes for agent 'xxxxxx (019) - x.x.x.x':

Changes for 2016 Nov 11:
2016 Nov 11 09:55:39,0 - ossec.conf
2016 Nov 11 10:08:58,0 - ossec.conf
2016 Nov 11 10:15:46,2 - ossec.conf

dan (ddp)

unread,
Nov 11, 2016, 10:49:49 AM11/11/16
to ossec...@googlegroups.com
Are the files in question in the syscheck db
(/var/ossec/queue/syscheck/something identifying the agent) on the
OSSEC server?
Were there baseline hashes in the database for those files before you
modified them?
Had realtime initialized before you made the changes? Look in
ossec.log on the agent

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Victor Fernandez

unread,
Nov 11, 2016, 11:03:10 AM11/11/16
to ossec...@googlegroups.com
Hi Keith,

unfortunately, unlike the Linux version, OSSEC for Windows doesn't support new file monitoring in real-time. But you'll get alerted about modified and removed files.

When a complete Syscheck is performed, it will notify the new files to the manager and from that moment on the agent will follow those files in real-time.

You may test it using this experimental configuration in your agent (and then restarting it):

<syscheck>
  <frequency>300</frequency> 
...
  <directories> ... </directories>
</syscheck>

300 seconds (5 minutes) is the minimum reasonable frequency since real-time monitoring stages are of 300 seconds in Windows. After that, OSSEC will perform a 20 seconds sleeping and re-run the Syscheck scan. At that moment the manager will receive the new files in the monitored folders.

Hope it helps.

Best regards,
Victor.



> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
Reply all
Reply to author
Forward
0 new messages