File Integrity Monitoring Events Not Showing in alerts.json
111 views
Skip to first unread message
Morgan Andrew Davis
Mar 23, 2021, 10:19:42 AM3/23/21
to ossec-list
Hello all. I'm having a bit of difficulty with ossec and I haven't been able to find the issue. For some reason, when I run touch /etc/testfile.txt, an entry for a file creation event doesn't appear in alerts.json like, as far as I know, it is supposed to. I've made sure syscheckd is running, added an entry to local_rules.xml for a file added event, made sure I was adding in a watched directory, added another directory and tried there to be thourough, and still nothing. I'm at a loss as to why. Can anyone here offer any insight? As per the ossec troubleshooting page, I'll include the contents of a number of files and commands here.
/var/ossec/bin/ossec-analysisd -V: OSSEC v4.3.0 - Atomicorp Inc.
/etc/ossec-init.conf: DIRECTORY="/var/ossec"
VERSION="4.3.0"
DATE="Wed Feb 17 12:19:51 EST 2021"
TYPE="server"
/var/ossec/etc/ossec.conf: <ossec_config>
<global>
<email_notification>no</email_notification>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.0.0.2</white_list>
<logall>no</logall>
<jsonout_output>yes</jsonout_output>
<geoipdb>/usr/share/GeoIP/GeoLiteCity.dat</geoipdb>
</global>
<syscheck>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<frequency>86400</frequency>
<directories realtime="yes" check_all="yes" whodata="yes" report_changes="yes">/etc</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/home/mdavis</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/active-response</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/etc</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/agentless</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/bin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/lib</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/lib64</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/opt</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/sbin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/bin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/lib</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/lib64</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/bin</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/lib</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/usr/local/sbin</directories>
<ignore>/etc/asl/VERSION</ignore>
<ignore>/var/awp/etc/VERSION</ignore>
<ignore>/etc/asl/aslw_aum.log</ignore>
<ignore>/var/awp/etc/aum.log</ignore>
<ignore>/etc/asl/DTC</ignore>
<ignore>/var/awp/etc/DTC</ignore>
<ignore>/etc/asl/whitelist</ignore>
<ignore>/var/awp/etc/whitelist</ignore>
<ignore>/var/awp/etc/whitelist.json</ignore>
<ignore>/etc/asl/config</ignore>
<ignore>/var/awp/etc/config</ignore>
<ignore>/var/awp/etc/config.json</ignore>
<ignore>/etc/asl/rules</ignore>
<ignore>/var/awp/etc/rules.json</ignore>
<ignore>/etc/asl/system.properties</ignore>
<ignore>/var/awp/etc/system.properties</ignore>
<ignore>/etc/mtab</ignore>
<ignore>/var/tmp</ignore>
<ignore>/var/ossec/queue</ignore>
<ignore>/var/ossec/logs</ignore>
<ignore>/var/ossec/stats</ignore>
<ignore>/var/ossec/var</ignore>
<ignore>/var/ossec/etc/rules.d</ignore>
<ignore>/var/ossec/etc/shared</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/grsec/learning.logs</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/httpd/modsecurity.d/</ignore>
<ignore>/etc/httpd/logs/</ignore>
<ignore>/etc/httpd/domlogs/</ignore>
<ignore>/etc/vfilters</ignore>
<ignore>/var/ossec/bin/.process_list</ignore>
<ignore>/usr/local/psa/handlers.default</ignore>
<ignore>/usr/local/psa/admin/logs/</ignore>
<ignore>/etc/mail/spamassassin/bayes/</ignore>
<ignore>/etc/webmin/virtual-server/</ignore>
<ignore>/usr/local/atmail/calendarserver/server/logs/</ignore>
<ignore>/etc/mail/spamassassin/.razor</ignore>
<ignore>/etc/relayhostusers</ignore>
<ignore>/etc/relayhosts</ignore>
<ignore>/etc/eximpopbeforesmtpwarning</ignore>
<ignore>/etc/prelink.cache</ignore>
<ignore>/etc/csf/stats/</ignore>
<ignore>/etc/webmin</ignore>
<ignore>/etc/dcc/log</ignore>
<ignore>/etc/dcc/map</ignore>
<ignore>/usr/local/psa/var/cgitory</ignore>
<ignore>/usr/libexec/aqueduct</ignore>
<ignore>/etc/portsentry/portsentry.history</ignore>
<ignore>/var/ossec/active-response/ossec-hids-responses.log</ignore>
<ignore>/etc/snmp/error_log</ignore>
<ignore>/var/ossec/etc/</ignore>
<ignore>/usr/src/</ignore>
<ignore>/usr/local/src/</ignore>
<ignore>/usr/lib/observium_agent/local/error_log</ignore>
<ignore>/etc/recent_recipient_mail_server_ips</ignore>
<ignore>/etc/named.conf.zonedir.cache</ignore>
<ignore>/etc/recent_authed_mail_ips</ignore>
<ignore>/etc/recent_authed_mail_ips_users</ignore>
<ignore>/etc/magicspam/db</ignore>
<ignore>/var/ossec/tmp</ignore>
<ignore>/etc/letsencrypt/.certbot.lock</ignore>
<ignore>/opt/dell/srvadmin/var/lib/openmanage/log</ignore>
<ignore>/opt/dell/srvadmin/var/log</ignore>
<ignore>/opt/dell/srvadmin/var/log/openmanage/install.log</ignore>
<ignore>/opt/dell/srvadmin/var/log/openmanage/ssclp.log</ignore>
<ignore>/opt/nimsoft/probles/service/hdb/hdb.log</ignore>
<ignore>/opt/nimsoft/probes/system/cdm/_cdm.log</ignore>
<ignore>/opt/nimsoft/probes/system/cdm/cdm.log</ignore>
<ignore>/opt/nimsoft/robot/controller.log</ignore>
<ignore>/opt/nimsoft/robot/spooler.log</ignore>
<ignore>/opt/nimsoft/robot/nimbus.log</ignore>
<ignore>/opt/nimsoft/robot/_spooler.log</ignore>
<ignore>/opt/nimsoft/robot/_controller.log</ignore>
</syscheck>
<command>
<name>awp-tracking</name>
<executable>awp-sync.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>ar-tracking</name>
<executable>ar-tracking.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>self-healing-17502</name>
<executable>self-healing-17502</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-17503</name>
<executable>self-healing-17503</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-30300</name>
<executable>self-healing-30300</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-30302</name>
<executable>self-healing-30302</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-52575</name>
<executable>self-healing-52575</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-60912</name>
<executable>self-healing-60912</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-60914</name>
<executable>self-healing-60914</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-52576</name>
<executable>self-healing-52576</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>cloudflare-ban</name>
<executable>cloudflare-ban.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>asl-firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>awp-tracking</name>
<executable>awp-sync.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>ar-tracking</name>
<executable>ar-tracking.sh</executable>
<expect>srcip</expect>
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
</command>
<command>
<name>zabbix-alert</name>
<executable>zabbix-alert.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-17502</name>
<executable>self-healing-17502</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-17503</name>
<executable>self-healing-17503</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-30300</name>
<executable>self-healing-30300</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-30302</name>
<executable>self-healing-30302</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-52575</name>
<executable>self-healing-52575</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-60912</name>
<executable>self-healing-60912</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-60914</name>
<executable>self-healing-60914</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<command>
<name>self-healing-52576</name>
<executable>self-healing-52576</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>awp-tracking</command>
<location>local</location>
<timeout>600</timeout>
<level>6</level>
</active-response>
<active-response>
<command>ar-tracking</command>
<location>local</location>
<timeout>600</timeout>
<level>6</level>
</active-response>
<active-response>
<command>self-healing-17502</command>
<location>local</location>
<rules_id>17502</rules_id>
</active-response>
<active-response>
<command>self-healing-17503</command>
<location>local</location>
<rules_id>17503</rules_id>
</active-response>
<active-response>
<command>self-healing-30300</command>
<location>local</location>
<rules_id>30300</rules_id>
<rules_id>30301</rules_id>
</active-response>
<active-response>
<command>self-healing-30302</command>
<location>local</location>
<rules_id>30302</rules_id>
</active-response>
<active-response>
<command>self-healing-52575</command>
<location>local</location>
<rules_id>52575</rules_id>
</active-response>
<active-response>
<command>self-healing-60912</command>
<location>local</location>
<rules_id>60912</rules_id>
</active-response>
<active-response>
<command>self-healing-60914</command>
<location>local</location>
<rules_id>60914</rules_id>
</active-response>
<active-response>
<command>self-healing-52576</command>
<location>local</location>
<rules_id>52576</rules_id>
</active-response>
<active-response>
<command>host-deny</command>
<location>local</location>
</active-response>
<active-response>
<command>host-deny</command>
<location>local</location>
</active-response>
<active-response>
<command>cloudflare-ban</command>
<location>local</location>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
</active-response>
<active-response>
<command>awp-tracking</command>
<location>local</location>
</active-response>
<active-response>
<command>ar-tracking</command>
<location>local</location>
</active-response>
<active-response>
<command>zabbix-alert</command>
<location>local</location>
</active-response>
<active-response>
<command>self-healing-17502</command>
<location>local</location>
<rules_id>17502</rules_id>
</active-response>
<active-response>
<command>self-healing-17503</command>
<location>local</location>
<rules_id>17503</rules_id>
</active-response>
<active-response>
<command>self-healing-30300</command>
<location>local</location>
<rules_id>30300</rules_id>
<rules_id>30301</rules_id>
</active-response>
<active-response>
<command>self-healing-30302</command>
<location>local</location>
<rules_id>30302</rules_id>
</active-response>
<active-response>
<command>self-healing-52575</command>
<location>local</location>
<rules_id>52575</rules_id>
</active-response>
<active-response>
<command>self-healing-60912</command>
<location>local</location>
<rules_id>60912</rules_id>
</active-response>
<active-response>
<command>self-healing-60914</command>
<location>local</location>
<rules_id>60914</rules_id>
</active-response>
<active-response>
<command>self-healing-52576</command>
<location>local</location>
<rules_id>52576</rules_id>
</active-response>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<auth>
<disabled>yes</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<limit_maxagents>yes</limit_maxagents>
</auth>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/tortixd/audit_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/audit_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/tortixd/asl_error_log</location>
</localfile>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>command</log_format>
<command>uptime</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
<frequency>360</frequency>
</localfile>
<logging></logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>udp</protocol>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
</remote>
<rootcheck>
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
<disabled>no</disabled>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<rules>
<decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir>
<rule_dir pattern=".xml$">etc/rules.d</rule_dir>
<list>etc/lists/audit-key</list>
<list>etc/lists/threat/threat1</list>
<list>etc/lists/threat/threat2</list>
<list>etc/lists/threat/threat3</list>
<list>etc/lists/threat/threat4</list>
<list>etc/lists/threat/threat5</list>
<list>etc/lists/threat/threat6</list>
<list>etc/lists/threat/threat7</list>
<list>etc/lists/threat/threat8</list>
<list>etc/lists/threat/threat9</list>
<list>etc/lists/threat/threat10</list>
<list>etc/lists/threat/threat11</list>
<list>etc/lists/threat/threat12</list>
</rules>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>sca_unix_audit.yml</policy>
<policy>system_audit_pw.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>cis_rhel7_linux.yml</policy>
</policies>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<os>precise</os>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<os>wheezy</os>
<os>stretch</os>
<os>jessie</os>
<os>buster</os>
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
<update_from_year>2010</update_from_year>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
<update_from_year>2010</update_from_year>
</provider>
</vulnerability-detector>
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="xccdf" path="ssg-rhel7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="com.redhat.rhsa-RHEL7.xml"></content>
</wodle>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports>yes</ports>
<processes>yes</processes>
</wodle>
</ossec_config>
/var/ossec/logs/ossec.log: 2021/03/23 10:05:58 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:05:58 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'.
2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'.
2021/03/23 10:05:58 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'
2021/03/23 10:05:58 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status.
2021/03/23 10:05:58 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2021/03/23 10:05:58 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect.
2021/03/23 10:05:59 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect.
2021/03/23 10:06:01 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:01 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect.
2021/03/23 10:06:01 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:01 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:01 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'.
2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'.
2021/03/23 10:06:04 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'
2021/03/23 10:06:04 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status.
2021/03/23 10:06:04 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2021/03/23 10:06:04 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect.
2021/03/23 10:06:04 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:04 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:04 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:04 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:05 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect.
2021/03/23 10:06:07 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect.
2021/03/23 10:06:07 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:08 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:08 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:08 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'.
2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'.
2021/03/23 10:06:10 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'
2021/03/23 10:06:10 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status.
2021/03/23 10:06:10 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2021/03/23 10:06:10 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect.
2021/03/23 10:06:11 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:11 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:11 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:11 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:11 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect.
2021/03/23 10:06:13 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect.
2021/03/23 10:06:14 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:14 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:14 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:14 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/var/ossec/queue/db/wdb'.
2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'.
2021/03/23 10:06:16 ossec-modulesd: ERROR: Unable to connect to socket '/queue/db/wdb'
2021/03/23 10:06:16 ossec-modulesd: ERROR: Error querying OSSEC DB to get the agent status.
2021/03/23 10:06:16 ossec-modulesd:database: ERROR: Couldn't get database status for agent '0'.
2021/03/23 10:06:16 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 1 seconds to reconnect.
2021/03/23 10:06:17 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 2 seconds to reconnect.
2021/03/23 10:06:17 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:17 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:17 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:17 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:19 ossec-modulesd: INFO: Cannot find '/var/ossec/queue/db/wdb'. Waiting 3 seconds to reconnect.
2021/03/23 10:06:20 ossec-db: CRITICAL: (2301): Definition not found for: 'ossec_db.commit_time_min'.
2021/03/23 10:06:21 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
2021/03/23 10:06:21 ossec-analysisd: ERROR: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
2021/03/23 10:06:21 ossec-analysisd: CRITICAL: (1202): Configuration error at '/var/ossec/etc/ossec.conf'.
Note ossec.log was too big to grab all of it. This is the last chunk of lines.
uname -a: Linux localhost.localdomain 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
I think that is all the info the troubleshooting page suggests. If you need more info, say so and I'll see if I can post it. If anyone has any insight into this issue, I'd appreciate it.
juancarl...@wazuh.com
Apr 12, 2021, 4:25:55 PM4/12/21
to ossec-list
Hi,
I have verified that on a new installation of OSSEC 3.6.0 new files do not trigger rule 554 as expected.
I verified this both using scheduled and real-time scanning.
This can be easily reproduced by installing an OSSEC server and adding:
<directories check_all="yes" realtime="yes">/fimtest</directories>
to the syscheck configuration, then creating a directory, restarting the ossec server, waiting for the scheduled scan to finish and adding and modifying files to the server.
mkdir /fimtest
/var/ossec/bin/ossec-control restart
touch /fimtest/touchedfile
echo 'file created' > /fimtest/testfile
echo 'file modified' > /fimtest/testfile
After this only the last event generates an alert.
I've opened an issue to report this here: https://github.com/ossec/ossec-hids/issues/1968
However it is also true that your configuration is not completely correct, as you can see in the error log there is a message indicating:
2021/03/23 10:06:21 ossec-analysisd: ERROR: (1235): Invalid value for element 'timeout_allowed': OSSEC_SHUN_ENABLE_TIMEOUT.
I see you have several commands with the configuration:
<timeout_allowed>OSSEC_SHUN_ENABLE_TIMEOUT</timeout_allowed>
If you wish to disable timeout for these options, you should replace it with:
<timeout_allowed>no</timeout_allowed>
Let me know if this helps,
Best Regards,
Juan Carlos Tello
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages