Question about Realtime monitoring on agents
292 views
Skip to first unread message
Michiel van Es
Sep 27, 2013, 9:50:18 AM9/27/13
to ossec...@googlegroups.com
Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz manager install via script
2 agents - OSSEC 2.7 64 bit Atomic repo install
I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the following on the manager:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours in seconds -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
I want realtime monitoring of the /etc/ directories on the agents.
I tested the active restarts and link with the agents via the agent_control -lc
The agents have the following ossec.conf:
<ossec_config>
<client>
<server-ip>10.10.138.69</server-ip>
</client>
</ossec_config>
Nothing happens when I alter /etc/hosts on 1 of the agents.
When I change the /etc/hosts on the manager it is instant (exactly what I want).
I changed the ossec.conf on the agents with the following;
<ossec_config>
<client>
<server-ip>10.10.138.69</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours in seconds -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
</ossec_config>
and restarted the ossec service on the agents, let sysstem-check rebuild its database on both agents:
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/ossec/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'.
2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/sbin'.
2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file monitoring (not started).
2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring started.
2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database)
I change the /etc/hosts file again and multiple new lines to make sure it wont match the MD5 sum.
Still nothing happening on the agents, no alert triggered (as on the manager it was instant)
Am I correct that the realtime configuration should be in the ossec.conf on the agents?
I have seen one error on 1 of the servers alerting:
Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.'
File '/etc/hosts' was deleted. Unable to retrieve checksum.
How can I recreate the database?
Regards and sorry if I ask the obvious questions here.
Michiel
Michiel van Es
Sep 27, 2013, 9:59:55 AM9/27/13
to ossec...@googlegroups.com
Sorry forgot to mention:
Servers running RHEL6 64 bit
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Michiel van Es
Sep 27, 2013, 11:15:37 AM9/27/13
to ossec...@googlegroups.com
I got it semi working but I am noticing that after I changed /etc/hosts (for example) , the alert is available on the manager but when I change /etc/resolv.conf directly after that it is not notified directly (some delay).
Is this normal behaviour?
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Hello, I have the following setup :
Michiel van Es
Oct 3, 2013, 4:26:59 AM10/3/13
to ossec...@googlegroups.com
Is my ossec.conf on the agents correct?
tested again today after some days:
added an entry to /etc/hosts, nothing is detected and alerted directly..
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Hello, I have the following setup :
dan (ddp)
Oct 3, 2013, 8:57:28 AM10/3/13
to ossec...@googlegroups.com
On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com> wrote:
> Is my ossec.conf on the agents correct?
> tested again today after some days:
>
As far as I can tell it seems ok.
> Is my ossec.conf on the agents correct?
> tested again today after some days:
>
> added an entry to /etc/hosts, nothing is detected and alerted directly..
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Michiel van Es
Oct 3, 2013, 9:13:18 AM10/3/13
to ossec...@googlegroups.com
Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com> wrote:
> Is my ossec.conf on the agents correct?
> tested again today after some days:
>
As far as I can tell it seems ok.
> added an entry to /etc/hosts, nothing is detected and alerted directly..
>
>>What do you mean by "alerted directly?"
The realtime=yes should trigger an alert for OSSEC directly when I alter the file right? (I open the file with vim, add a new line with bogus , write+quit)
It does nothing after that, only after the first syscheck run that is scheduled to run every X hour/minutes.
dan (ddp)
Oct 3, 2013, 9:44:49 AM10/3/13
to ossec...@googlegroups.com
On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <vanesm...@gmail.com> wrote:
>
>
> Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
>>
>> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com>
>> wrote:
>> > Is my ossec.conf on the agents correct?
>> > tested again today after some days:
>> >
>>
>> As far as I can tell it seems ok.
>>
>> > added an entry to /etc/hosts, nothing is detected and alerted directly..
>> >
>>
>> >>What do you mean by "alerted directly?"
>
>
> The realtime=yes should trigger an alert for OSSEC directly when I alter the
> file right? (I open the file with vim, add a new line with bogus ,
> write+quit)
> It does nothing after that, only after the first syscheck run that is
> scheduled to run every X hour/minutes.
>
It should trigger an alert very quickly, yes.
>
>
> Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
>>
>> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com>
>> wrote:
>> > Is my ossec.conf on the agents correct?
>> > tested again today after some days:
>> >
>>
>> As far as I can tell it seems ok.
>>
>> > added an entry to /etc/hosts, nothing is detected and alerted directly..
>> >
>>
>> >>What do you mean by "alerted directly?"
>
>
> The realtime=yes should trigger an alert for OSSEC directly when I alter the
> file right? (I open the file with vim, add a new line with bogus ,
> write+quit)
> It does nothing after that, only after the first syscheck run that is
> scheduled to run every X hour/minutes.
>
I don't really have a way to troubleshoot this. Everytime I test
realtime it works just fine.
Michiel van Es
Oct 3, 2013, 9:50:10 AM10/3/13
to ossec...@googlegroups.com
But it is correct that I add the syscheck and realtime options to the agent own ossec.conf and NOT on the server right?
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/o2IBo4LjwME/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Oct 3, 2013, 9:55:03 AM10/3/13
to ossec...@googlegroups.com
On Thu, Oct 3, 2013 at 9:50 AM, Michiel van Es <vanesm...@gmail.com> wrote:
> But it is correct that I add the syscheck and realtime options to the agent
> own ossec.conf and NOT on the server right?
>
That depends on where you want that setting to be applied. If you want
> But it is correct that I add the syscheck and realtime options to the agent
> own ossec.conf and NOT on the server right?
>
the agent to attempt these detections in real time, then you have to
define it on the agent. If you want the server to do realtime
detection, you must define it on the server. I will try to make the
documentation more clear on this.
Michiel van Es
Oct 3, 2013, 9:58:10 AM10/3/13
to ossec...@googlegroups.com
Ok, clear for me.
I want this to be on the agents so I have to create a template for all agents with this settings.Thanks!
Michiel van Es
Oct 9, 2013, 3:56:37 AM10/9/13
to ossec...@googlegroups.com
Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd):
On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <vanesm...@gmail.com> wrote:
>
>
> Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
>>
>> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com>
>> wrote:
>> > Is my ossec.conf on the agents correct?
>> > tested again today after some days:
>> >
>>
>> As far as I can tell it seems ok.
>>
>> > added an entry to /etc/hosts, nothing is detected and alerted directly..
>> >
>>
>> >>What do you mean by "alerted directly?"
>
>
> The realtime=yes should trigger an alert for OSSEC directly when I alter the
> file right? (I open the file with vim, add a new line with bogus ,
> write+quit)
> It does nothing after that, only after the first syscheck run that is
> scheduled to run every X hour/minutes.
>
It should trigger an alert very quickly, yes.
I don't really have a way to troubleshoot this. Everytime I test
realtime it works just fine.
Did you tested it on multiple files in /etc/ for example?
I tried /etc/resolv.conf which is instant, /etc/passwd where we change a users last name did not have any impact.
The strange thing is that it is not consistent.
I am also not sure if it is related to:
- Red Hat
- Atomic OSSEC-HIDS package
- VMware image
- kernel
dan (ddp)
Oct 10, 2013, 10:21:15 AM10/10/13
to ossec...@googlegroups.com
On Wed, Oct 9, 2013 at 3:56 AM, Michiel van Es <vanesm...@gmail.com> wrote:
>
>
> Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd):
>>
>> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <vanesm...@gmail.com>
>> wrote:
>> >
>> >
>> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
>> >>
>> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com>
>> >> wrote:
>> >> > Is my ossec.conf on the agents correct?
>> >> > tested again today after some days:
>> >> >
>> >>
>> >> As far as I can tell it seems ok.
>> >>
>> >> > added an entry to /etc/hosts, nothing is detected and alerted
>> >> > directly..
>> >> >
>> >>
>> >> >>What do you mean by "alerted directly?"
>> >
>> >
>> > The realtime=yes should trigger an alert for OSSEC directly when I alter
>> > the
>> > file right? (I open the file with vim, add a new line with bogus ,
>> > write+quit)
>> > It does nothing after that, only after the first syscheck run that is
>> > scheduled to run every X hour/minutes.
>> >
>>
>> It should trigger an alert very quickly, yes.
>> I don't really have a way to troubleshoot this. Everytime I test
>> realtime it works just fine.
>>
>
> Did you tested it on multiple files in /etc/ for example?
No I have not. My ability to test realtime is a bit limited at the moment.
>
>
> Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd):
>>
>> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <vanesm...@gmail.com>
>> wrote:
>> >
>> >
>> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
>> >>
>> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com>
>> >> wrote:
>> >> > Is my ossec.conf on the agents correct?
>> >> > tested again today after some days:
>> >> >
>> >>
>> >> As far as I can tell it seems ok.
>> >>
>> >> > added an entry to /etc/hosts, nothing is detected and alerted
>> >> > directly..
>> >> >
>> >>
>> >> >>What do you mean by "alerted directly?"
>> >
>> >
>> > The realtime=yes should trigger an alert for OSSEC directly when I alter
>> > the
>> > file right? (I open the file with vim, add a new line with bogus ,
>> > write+quit)
>> > It does nothing after that, only after the first syscheck run that is
>> > scheduled to run every X hour/minutes.
>> >
>>
>> It should trigger an alert very quickly, yes.
>> I don't really have a way to troubleshoot this. Everytime I test
>> realtime it works just fine.
>>
>
> Did you tested it on multiple files in /etc/ for example?
Reply all
Reply to author
Forward
0 new messages