Agent Duplicate Folders Message
1,082 views
Skip to first unread message
Kernel Panic
Oct 12, 2016, 4:49:04 PM10/12/16
to ossec-list
Hi there guys,
When starting the agent I've get this info:
This is what I configured:
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
<directories report_changes="yes"></directories>
<directories check_sum="yes"></directories>
<directories check_size="yes"></directories>
<directories check_owner="yes"></directories>
<directories check_group="yes"></directories>
<directories check_perm="yes"></directories>
Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
Is that configuration file taken into account? If I remove it it's created once again.
Thank you for your time and support
Regards
When starting the agent I've get this info:
Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/root'.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/etc'.
2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/bin'.
This is what I configured:
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
<directories report_changes="yes"></directories>
<directories check_sum="yes"></directories>
<directories check_size="yes"></directories>
<directories check_owner="yes"></directories>
<directories check_group="yes"></directories>
<directories check_perm="yes"></directories>
Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
Is that configuration file taken into account? If I remove it it's created once again.
Thank you for your time and support
Regards
dan (ddp)
Oct 12, 2016, 7:19:08 PM10/12/16
to ossec...@googlegroups.com
On Oct 12, 2016 4:49 PM, "Kernel Panic" <netwar...@gmail.com> wrote:
>
> Hi there guys,
>
> When starting the agent I've get this info:
>
> Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/root'.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: ''.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/etc'.
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated directory given: '/bin'.
>
> 2016/10/12 15:43:11 ossec-syscheckd: INFO: Monitoring directory: ''.
>
> This is what I configured:
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
> <directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
You have "/root" in both of the above entries.
> <directories report_changes="yes"></directories>
> <directories check_sum="yes"></directories>
Why do you have all of these empty entries? They're not checking anything, I'm actually a little surprised they didn't cause more problems.
> <directories check_size="yes"></directories>
> <directories check_owner="yes"></directories>
> <directories check_group="yes"></directories>
> <directories check_perm="yes"></directories>
>
> Where is that data duplicated? I noticed that under the shared directory there is an agent.conf which contains
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
>
> Is that configuration file taken into account? If I remove it it's created once again.
>
Yes, that file also provides configuration. It's provided by the OSSEC server.
> Thank you for your time and support
> Regards
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kernel Panic
Oct 13, 2016, 8:41:51 AM10/13/16
to ossec-list
Hi
Ok, so , are those global variables ? I thought I had to specify for every tag to which directory I wan it to apply that configuration, that's why I included root and home on both, realtime and check_all.
Ok, so , are those global variables ? I thought I had to specify for every tag to which directory I wan it to apply that configuration, that's why I included root and home on both, realtime and check_all.
<directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
So, do I have to include the directories right? make sense, my bad.
<directories report_changes="yes"></directories>
<directories check_sum="yes"></directories>
<directories check_size="yes"></directories>
<directories check_owner="yes"></directories>
<directories check_group="yes"></directories>
<directories check_perm="yes"></directories>
<directories check_owner="yes"></directories>
<directories check_group="yes"></directories>
<directories check_perm="yes"></directories>
Thank you very much
Best Regards
Best Regards
Kernel Panic
Oct 13, 2016, 8:56:19 AM10/13/16
to ossec-list
I'm confused
check_all=yes is equal to saying yes to check_sum check_size check_owner check_group check_perm BUT for report_changes? do I have to configure report_changes individually?
Thanks
check_all=yes is equal to saying yes to check_sum check_size check_owner check_group check_perm BUT for report_changes? do I have to configure report_changes individually?
Thanks
Regards
El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió:
Kernel Panic
Oct 13, 2016, 8:59:42 AM10/13/16
to ossec-list
Hi
Is this much better now? is realtime a global option ( realtime to all ) or do I have to tell on which directories I want the realtime monitoring?
Is this much better now? is realtime a global option ( realtime to all ) or do I have to tell on which directories I want the realtime monitoring?
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
<directories report_changes="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
Thank you very much for your patience.
Thank you very much for your patience.
Regards
El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió:
Kernel Panic
Oct 13, 2016, 9:21:24 AM10/13/16
to ossec-list
Hi
Let's see, shouldn't I have to configure on each tag to which directory I want to apply it? as in check_all , directories, realtime and which directories, or are they global parameters? that's why I included home and root on both of them.
<directories check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
Thank you very much
Best Regerds
Best Regerds
El miércoles, 12 de octubre de 2016, 20:19:08 (UTC-3), dan (ddpbsd) escribió:
dan (ddp)
Oct 13, 2016, 9:32:16 AM10/13/16
to ossec...@googlegroups.com
> Let's see, shouldn't I have to configure on each tag to which directory I
> want to apply it? as in check_all , directories, realtime and which
> directories, or are they global parameters? that's why I included home and
> root on both of them.
>
Each option applies to the directories configured in it.
> want to apply it? as in check_all , directories, realtime and which
> directories, or are they global parameters? that's why I included home and
> root on both of them.
>
> <directories
> check_all="yes">/root,/home,/etc,/bin,/sbin,/usr/bin,/usr/sbin</directories>
>
> <directories realtime="yes" check_all="yes">/root,/home,/etc</directories>
>
error because the "/root," "/home," and "/etc" directories are
duplicated.
Duplication of directories can cause issues, so it's best not to do
it. The way to solve this is not to duplicate these directories in the
second configuration by not including them in the first.
For example:
<directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes">/root,/home,/etc</directories>
Now, if you want to add "report_changes" to /etc, you'll have to
remove it from the above configuration. You'll end up with:
<directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes">/root,/home</directories>
<directories check_all="yes" realtime="yes"
report_changes="yes">/etc</directories>
Kernel Panic
Oct 13, 2016, 10:06:25 AM10/13/16
to ossec-list
Thank you very much for your clarification, now it's much more clear to me!!!
Regards
Regards
Kernel Panic
Oct 13, 2016, 1:09:03 PM10/13/16
to ossec-list
Hi
Does this still apply?
I have this option enabled: <alert_new_files>yes</alert_new_files> along with the realtime=yes.
From another post on the list:
>In the past new files were not alerted in real time. I'm not sure if
>this has changed. Any of the developers know?
Another question , by reading this http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html I can see that there are values that can be adjusted, for example host information, by default 8, how do I interpret that, there greater the number more verbose? I just made some modification under /etc, created some file modified other just to test, but still have no e-mail, I'm only getting an e-mail regarding a service log and nothing else, which is the parameter to tell ossec to send all the issues?
Last question:
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
Which service is not started? the doc says the package inotify should be installed and I have it inotify-tools-3.13-2.el6.art.x86_64
Thank you very much!!
Does this still apply?
I have this option enabled: <alert_new_files>yes</alert_new_files> along with the realtime=yes.
From another post on the list:
>In the past new files were not alerted in real time. I'm not sure if
>this has changed. Any of the developers know?
Another question , by reading this http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html I can see that there are values that can be adjusted, for example host information, by default 8, how do I interpret that, there greater the number more verbose? I just made some modification under /etc, created some file modified other just to test, but still have no e-mail, I'm only getting an e-mail regarding a service log and nothing else, which is the parameter to tell ossec to send all the issues?
Last question:
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
Which service is not started? the doc says the package inotify should be installed and I have it inotify-tools-3.13-2.el6.art.x86_64
Thank you very much!!
Regards
El jueves, 13 de octubre de 2016, 10:32:16 (UTC-3), dan (ddpbsd) escribió:
dan (ddp)
Oct 13, 2016, 1:47:25 PM10/13/16
to ossec...@googlegroups.com
> Does this still apply?
> I have this option enabled: <alert_new_files>yes</alert_new_files> along
> with the realtime=yes.
>
> From another post on the list:
>>In the past new files were not alerted in real time. I'm not sure if
>>this has changed. Any of the developers know?
>
Was there a response to this post? I don't think it's changed, but I'm
> I have this option enabled: <alert_new_files>yes</alert_new_files> along
> with the realtime=yes.
>
> From another post on the list:
>>In the past new files were not alerted in real time. I'm not sure if
>>this has changed. Any of the developers know?
>
sure I miss commits here and there.
>
> Another question , by reading this
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.global.html
> I can see that there are values that can be adjusted, for example host
> information, by default 8, how do I interpret that, there greater the number
> more verbose? I just made some modification under /etc, created some file
level of the alert.
> modified other just to test, but still have no e-mail, I'm only getting an
> e-mail regarding a service log and nothing else, which is the parameter to
> tell ossec to send all the issues?
>
For the modified file, if it's already in the syscheck db, you should
be alerted relatively quickly (if realtime is enabled and currently
running).
Other than that, OSSEC should send all alerts.
> Last question:
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck scan
> (forwarding database).
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Starting syscheck database
> (pre-scan).
> 2016/10/13 11:10:35 ossec-syscheckd: INFO: Initializing real time file
> monitoring (not started).
>
> Which service is not started? the doc says the package inotify should be
> installed and I have it inotify-tools-3.13-2.el6.art.x86_64
>
realtime feature hasn't started working yet.
There's a delay for realtime to start.
Kernel Panic
Oct 13, 2016, 4:49:13 PM10/13/16
to ossec-list
Thank you!
Kernel Panic
Oct 14, 2016, 8:41:39 AM10/14/16
to ossec-list
Hi there.
I'm still getting one alert e-mail type 2 eventhough I modified/created some files under /etc am I missing something else in the configuration?
This is the server coniguration.
<!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>m...@company.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>oss...@server.com</email_from>
<email_maxperhour>100</email_maxperhour>
<logall>yes</logall>
<memory_size>4096</memory_size>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed default every 20 hours -->
<frequency>3600</frequency>
<alert_new_files>yes</alert_new_files>
I'm still getting one alert e-mail type 2 eventhough I modified/created some files under /etc am I missing something else in the configuration?
This is the server coniguration.
<!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>m...@company.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>oss...@server.com</email_from>
<email_maxperhour>100</email_maxperhour>
<logall>yes</logall>
<memory_size>4096</memory_size>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed default every 20 hours -->
<frequency>3600</frequency>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" realtime="yes" report_changes="yes">/boot,/etc,/root,/home,/bin,/sbin,/usr/bin,/usr/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>
<rootcheck>
<frequency>3600</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>
<reports>
<!--
Reports options here
-->
<title>ZEBRA OSSEC Security Report For The Masses</title>
</reports>
</ossec_config>
Thank for your patience.
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>
<rootcheck>
<frequency>3600</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>
<reports>
<!--
Reports options here
-->
<title>ZEBRA OSSEC Security Report For The Masses</title>
</reports>
</ossec_config>
Thank for your patience.
Kernel Panic
Oct 14, 2016, 8:55:00 AM10/14/16
to ossec-list
Taking a look in /var/ossec/logs/alerts I can see there are lots of things registered, no related to the files I modified, but related to ssh login failures, sudo stuff and the like but never get an e-mail with that report.
Thank you very much for your time and support
Regards
Thank you very much for your time and support
Regards
dan (ddp)
Oct 14, 2016, 9:26:53 AM10/14/16
to ossec...@googlegroups.com
On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic <netwar...@gmail.com> wrote:
> Taking a look in /var/ossec/logs/alerts I can see there are lots of things
> registered, no related to the files I modified, but related to ssh login
> failures, sudo stuff and the like but never get an e-mail with that report.
>
Are the files in the syscheck db (/var/ossec/queue/syscheck/something)?
> Taking a look in /var/ossec/logs/alerts I can see there are lots of things
> registered, no related to the files I modified, but related to ssh login
> failures, sudo stuff and the like but never get an e-mail with that report.
>
Do you have alert_new_files turned on in the OSSEC server's ossec.conf?
Did you modify the rule that alerts on new files to raise the level to
something greater than 0?
Did you restart the OSSEC processes on the OSSEC server after making
these changes?
Kernel Panic
Oct 14, 2016, 3:43:02 PM10/14/16
to ossec-list
The server I'm using for testing went down, as soon as I get it back I'm gonna review it.
Thank you very much for your help, relly appreciated
Regards
Thank you very much for your help, relly appreciated
Regards
Reply all
Reply to author
Forward
0 new messages