Windows syscheck frequency
79 views
Skip to first unread message
Hans Lakhan
May 1, 2007, 1:11:57 PM5/1/07
to ossec...@googlegroups.com
First of all, thank you for such an awesome product. It takes a lot of work to produce what your team has. Your work is greatly appreciated. Pleasantries aside, I do have a question regarding the windows agent. I'm using WinXP pro, sp2, ossec version
v1.1.
The agent is able to successfully send information back to our server, and I'm able to receive event logs, agent connections/disconnections notifications, syscheck and syscheck-registry updates. I do notice that when I start the windows agent, it'll generate the syscheck database along with the registry database. The issue I have is when it come to getting the syscheck to scan the system every 3600 second or 1 hour after being started. I'll notice that the client side syscheck database will update periodically, but not every 3600s . I have read the other messages saying that 1 hours in the minimum. Below is a posted copy of my windows agent config. Notice how I'm scanning the entire drive.
Additionally, I have "check_new_files" set to yes. I read that in version 1.0, that you had to have this set on the server. I also read that it was planned to move it to the client. Has this been done? I put it on both the agent and the server just to be sure. Additionally, I am currently running a script that will generate a new file every 100 minutes, and update that file every 5 minutes. I'll attach that for detail, (however its working just fine). Finally I'll attach the agent log information. Hopefully this is enough for some one to find the problem.
Any help would be appreciated, and again, thanks for making a great application.
~Hans
P.S.
What does the percentages mean in the agent log?
2007/05/01 10:35:36 ossec-agent: Event count after '20000': 4025479->3349304 (83%)
2007/05/01 10:47:45 ossec-agent: Event count after '20000': 4463571->3811088 (85%)
===================================================================
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>10.0.0.1</server-ip>
</client>
<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
<!-- Default syscheck config --><ossec_config>
<syscheck>
<frequency>3600</frequency>
<directories check_all="yes" check_sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">C:\</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<ignore>C:\/Documents and Settings</ignore>
<ignore>C:\/WINDOWS/system32/dllcache</ignore>
<ignore>C:\/WINDOWS/system32/CCM/Cache</ignore>
<ignore>C:\/WINDOWS/System32/LogFiles</ignore>
<ignore>C:\/WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\/WINDOWS/Prefetch</ignore>
<ignore>C:\/WINDOWS/Debug</ignore>
<ignore>C:\/WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\/WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\/WINDOWS/Temp</ignore>
<ignore>C:\/WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\/WINDOWS/system32/config</ignore>
<ignore>C:\/WINDOWS/system32/CatRoot</ignore>
<ignore>C:\/WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\/WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\/WINDOWS/LastGood</ignore>
<ignore>C:\/WINDOWS/Help</ignore>
<ignore>C:\/WINDOWS/Fonts</ignore>
<ignore>C:\/WINDOWS/PCHEALTH</ignore>
<ignore>C:\/WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
<!-- Syscheck registry config -->
<ossec_config>
<syscheck>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
</syscheck>
</ossec_config>
<!-- Syscheck registry ignored entries (too big or change too often) -->
<ossec_config>
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\PchSvc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
============================================================
#!/usr/bin/perl
use strict;
my $cnt = 0;
while(1)
{
my $path = "C:\\clock";
for(my $a = 0; $a<20; $a++)
{
sleep 300;
open(FILE, ">>C:\\clock$cnt.txt") or die "Failed to write to file: $!";
print FILE time();
print FILE "\n";
close(FILE);
}
$cnt++;
}
==============================================================
2007/05/01 10:17:58 ossec-agent: Assigning counter for agent TestXPClient: '0:951'.
2007/05/01 10:17:58 ossec-agent: Assigning sender counter: 15:5245
2007/05/01 10:17:58 ossec-agent: Connecting to server (10.0.0.1:1514).
2007/05/01 10:17:58 ossec-agent: Starting syscheckd thread.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2007/05/01 10:17:58 ossec-agent: Monitoring directory: 'C:\'.
2007/05/01 10:17:59 ossec-agent(4102): Connected to the server.
2007/05/01 10:17:59 ossec-agent(1951): Analyzing event log: 'Application'.
2007/05/01 10:18:00 ossec-agent(1951): Analyzing event log: 'Security'.
2007/05/01 10:18:06 ossec-agent(1951): Analyzing event log: 'System'.
2007/05/01 10:18:07 ossec-agent: Started (pid: 1556).
2007/05/01 10:35:36 ossec-agent: Event count after '20000': 4025479->3349304 (83%)
2007/05/01 10:47:45 ossec-agent: Event count after '20000': 4463571->3811088 (85%)
--
No trees were harmed in the creation or sending of this email, however millions of electrons were terribly inconvenienced.
The agent is able to successfully send information back to our server, and I'm able to receive event logs, agent connections/disconnections notifications, syscheck and syscheck-registry updates. I do notice that when I start the windows agent, it'll generate the syscheck database along with the registry database. The issue I have is when it come to getting the syscheck to scan the system every 3600 second or 1 hour after being started. I'll notice that the client side syscheck database will update periodically, but not every 3600s . I have read the other messages saying that 1 hours in the minimum. Below is a posted copy of my windows agent config. Notice how I'm scanning the entire drive.
Additionally, I have "check_new_files" set to yes. I read that in version 1.0, that you had to have this set on the server. I also read that it was planned to move it to the client. Has this been done? I put it on both the agent and the server just to be sure. Additionally, I am currently running a script that will generate a new file every 100 minutes, and update that file every 5 minutes. I'll attach that for detail, (however its working just fine). Finally I'll attach the agent log information. Hopefully this is enough for some one to find the problem.
Any help would be appreciated, and again, thanks for making a great application.
~Hans
P.S.
What does the percentages mean in the agent log?
2007/05/01 10:35:36 ossec-agent: Event count after '20000': 4025479->3349304 (83%)
2007/05/01 10:47:45 ossec-agent: Event count after '20000': 4463571->3811088 (85%)
===================================================================
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>10.0.0.1</server-ip>
</client>
<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
<!-- Default syscheck config --><ossec_config>
<syscheck>
<frequency>3600</frequency>
<directories check_all="yes" check_sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">C:\</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<ignore>C:\/Documents and Settings</ignore>
<ignore>C:\/WINDOWS/system32/dllcache</ignore>
<ignore>C:\/WINDOWS/system32/CCM/Cache</ignore>
<ignore>C:\/WINDOWS/System32/LogFiles</ignore>
<ignore>C:\/WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\/WINDOWS/Prefetch</ignore>
<ignore>C:\/WINDOWS/Debug</ignore>
<ignore>C:\/WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\/WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\/WINDOWS/Temp</ignore>
<ignore>C:\/WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\/WINDOWS/system32/config</ignore>
<ignore>C:\/WINDOWS/system32/CatRoot</ignore>
<ignore>C:\/WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\/WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\/WINDOWS/LastGood</ignore>
<ignore>C:\/WINDOWS/Help</ignore>
<ignore>C:\/WINDOWS/Fonts</ignore>
<ignore>C:\/WINDOWS/PCHEALTH</ignore>
<ignore>C:\/WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
<!-- Syscheck registry config -->
<ossec_config>
<syscheck>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
</syscheck>
</ossec_config>
<!-- Syscheck registry ignored entries (too big or change too often) -->
<ossec_config>
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\PchSvc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
============================================================
#!/usr/bin/perl
use strict;
my $cnt = 0;
while(1)
{
my $path = "C:\\clock";
for(my $a = 0; $a<20; $a++)
{
sleep 300;
open(FILE, ">>C:\\clock$cnt.txt") or die "Failed to write to file: $!";
print FILE time();
print FILE "\n";
close(FILE);
}
$cnt++;
}
==============================================================
2007/05/01 10:17:58 ossec-agent: Assigning counter for agent TestXPClient: '0:951'.
2007/05/01 10:17:58 ossec-agent: Assigning sender counter: 15:5245
2007/05/01 10:17:58 ossec-agent: Connecting to server (10.0.0.1:1514).
2007/05/01 10:17:58 ossec-agent: Starting syscheckd thread.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2007/05/01 10:17:58 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2007/05/01 10:17:58 ossec-agent: Monitoring directory: 'C:\'.
2007/05/01 10:17:59 ossec-agent(4102): Connected to the server.
2007/05/01 10:17:59 ossec-agent(1951): Analyzing event log: 'Application'.
2007/05/01 10:18:00 ossec-agent(1951): Analyzing event log: 'Security'.
2007/05/01 10:18:06 ossec-agent(1951): Analyzing event log: 'System'.
2007/05/01 10:18:07 ossec-agent: Started (pid: 1556).
2007/05/01 10:35:36 ossec-agent: Event count after '20000': 4025479->3349304 (83%)
2007/05/01 10:47:45 ossec-agent: Event count after '20000': 4463571->3811088 (85%)
--
No trees were harmed in the creation or sending of this email, however millions of electrons were terribly inconvenienced.
Rob
May 1, 2007, 2:53:38 PM5/1/07
to ossec...@googlegroups.com
I am having that problem as well. I get events but not on files that I've purposely added to a checked directory.
2007/05/01 10:17:58 ossec-agent: Connecting to server ( 10.0.0.1:1514).
Daniel Cid
May 1, 2007, 8:22:32 PM5/1/07
to ossec...@googlegroups.com, Hans Lakhan
Hi Hans,
The issue with syscheck frequency is that it will wait X seconds (in
your case 3,600)
after the previous scan was completed before doing a new one. It is
not every 3,600
seconds. Since you are scanning the whole system, it can take up to 30 minutes
to finish the scan (to do not kill your cpu).
http://www.ossec.net/wiki/index.php/Know_How:Syscheck_Perf
Regarding new files being added, you will need to wait at least one day before
they start to show up (default behavior to avoid alerting before the
file database was
fully sent to the server). However, if you want to speed things a bit
you can go to
/var/ossec/queue/syscheck on your server and create a ".cpt" file for
your agent.
# ls -la /var/ossec/queue/syscheck/
(win64-1) 192.168.2.0->syscheck
.(win64-1) 192.168.2.0->syscheck.cpt
Basically the first file is the database itself and the second one is
the flag saying
that the database is completed...
If you want more flexibility with syscheck, check out the following
beta packages:
http://www.ossec.net/files/snapshots/ossec-hids-070501.tar.gz
http://www.ossec.net/files/snapshots/ossec-win32-070430.exe
We moved syscheck alerting into the rules, so you can create granular
configurations
based on the agents, etc...
>2007/05/01 10:35:36 ossec-agent: Event count after '20000':
4025479->3349304 (83%)
>2007/05/01 10:47:45 ossec-agent: Event count after '20000':
4463571->3811088 (85%)
They are just informational messages indicating the ammount of
compression that is
being done (in your case 8x%).
Hope it helps.
--
Daniel B. Cid
dcid ( at ) o ssec.net
On 5/1/07, Hans Lakhan <jars...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages