file integrity monitor
193 views
Skip to first unread message
Yectli Huerta
Mar 21, 2022, 4:36:39 PM3/21/22
to Wazuh mailing list
Hi,
I am having issues with FIM. When I look at the inventory tab on the web interface, I can see that the test file I modified changed its checksum. But when I add a filter under the Events tab, I don't get any results when I execute the query.
I try the following filter
syscheck.path is /etc/issue
but it did not work. Filebeat is running on the client. The ossec.conf configuration is this
<directories check_all="yes" report_changes="yes" whodata="yes">/etc,/usr/bin,/usr/sbi
n</directories>
n</directories>
I did restart the daemon to ensure that the change to the ossec.conf file was read.
Logstash is running on the server
# systemctl status logstash
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled;
vendor preset: disabled)
Active: active (running) since Mon 2022-03-21 19:16:48 UTC; 3s ago
Main PID: 591 (java)
CGroup: /system.slice/logstash.service
└─591 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g
-XX:+UseConcMarkSweepGC...
Mar 21 19:16:48 yah-wazuh.novalocal systemd[1]: Started logstash.
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: Using bundled JDK:
/usr/share/logst...k
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: OpenJDK 64-Bit
Server VM warning: O....
Hint: Some lines were ellipsized, use -l to show in full.
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled;
vendor preset: disabled)
Active: active (running) since Mon 2022-03-21 19:16:48 UTC; 3s ago
Main PID: 591 (java)
CGroup: /system.slice/logstash.service
└─591 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g
-XX:+UseConcMarkSweepGC...
Mar 21 19:16:48 yah-wazuh.novalocal systemd[1]: Started logstash.
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: Using bundled JDK:
/usr/share/logst...k
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: OpenJDK 64-Bit
Server VM warning: O....
Hint: Some lines were ellipsized, use -l to show in full.
but the log shows that it crashes periodically. The following lines come from logstash-plain.log:
[2022-03-21T20:36:04,083][INFO ][logstash.config.source.local.configpathloader] No config
files found in path {:path=>"/etc/logstash/conf.d/*.conf"}
[2022-03-21T20:36:04,107][ERROR][logstash.config.sourceloader] No configuration found in t
he configured sources.
[2022-03-21T20:36:04,227][INFO ][logstash.agent ] Successfully started Logstash
API endpoint {:port=>9601, :ssl_enabled=>false}
[2022-03-21T20:36:09,350][INFO ][logstash.runner ] Logstash shut down.
[2022-03-21T20:36:09,367][FATAL][org.logstash.Logstash ] Logstash stopped processing be
cause of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.2
0.1.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.2
0.1.jar:?]
at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/boo
tstrap/environment.rb:94) ~[?:?]
files found in path {:path=>"/etc/logstash/conf.d/*.conf"}
[2022-03-21T20:36:04,107][ERROR][logstash.config.sourceloader] No configuration found in t
he configured sources.
[2022-03-21T20:36:04,227][INFO ][logstash.agent ] Successfully started Logstash
API endpoint {:port=>9601, :ssl_enabled=>false}
[2022-03-21T20:36:09,350][INFO ][logstash.runner ] Logstash shut down.
[2022-03-21T20:36:09,367][FATAL][org.logstash.Logstash ] Logstash stopped processing be
cause of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.2
0.1.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.2
0.1.jar:?]
at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/boo
tstrap/environment.rb:94) ~[?:?]
Do you have any suggestions?
thanks,
Aditya Sharma
Mar 23, 2022, 12:10:22 AM3/23/22
to Wazuh mailing list
Hi
yhuerta, Thanks for using Wazuh!
Can you please share with us more details about this:
1. Wazuh-Manager Version
2. Elasticsearch Version
3. Filebeat Version
4. Logstash Version
Is Filebeat running on Wazuh-Manager? Can you share the ossec.conf file also?
To get more insights over this please check out: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html
To check the capabilities of FIM: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
I hope this helps you. Don't hesitate to ask questions, We are very happy to help you.
Regards
Can you please share with us more details about this:
1. Wazuh-Manager Version
2. Elasticsearch Version
3. Filebeat Version
4. Logstash Version
Is Filebeat running on Wazuh-Manager? Can you share the ossec.conf file also?
To get more insights over this please check out: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html
To check the capabilities of FIM: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
I hope this helps you. Don't hesitate to ask questions, We are very happy to help you.
Regards
Aditya Sharma
Yectli Huerta
Mar 23, 2022, 2:21:33 PM3/23/22
to Wazuh mailing list
Thanks for your reply. we are using centos 7 on both the client and server
On Tuesday, March 22, 2022 at 11:10:22 PM UTC-5 aditya...@wazuh.com wrote:
Hi yhuerta, Thanks for using Wazuh!
Can you please share with us more details about this:
1. Wazuh-Manager Version
2. Elasticsearch Version
3. Filebeat Version
4. Logstash Version
on server
[root@wazuh-server2 etc]# rpm -qa |grep elastic
elasticsearch-oss-7.10.2-1.x86_64
opendistroforelasticsearch-1.13.2-1.x86_64
opendistroforelasticsearch-kibana-1.13.2-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep wazuh
wazuh-manager-4.2.5-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep filebeat
filebeat-7.17.1-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep logstash
logstash-7.17.1-1.x86_64
[root@wazuh-server2 etc]#
elasticsearch-oss-7.10.2-1.x86_64
opendistroforelasticsearch-1.13.2-1.x86_64
opendistroforelasticsearch-kibana-1.13.2-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep wazuh
wazuh-manager-4.2.5-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep filebeat
filebeat-7.17.1-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep logstash
logstash-7.17.1-1.x86_64
[root@wazuh-server2 etc]#
on client
[root@wazuh-client etc]# rpm -qa |grep wazuh
wazuh-agent-4.2.5-1.x86_64
[root@wazuh-client etc]# rpm -qa |grep fileb
filebeat-7.10.2-1.x86_64
[root@wazuh-client etc]#
wazuh-agent-4.2.5-1.x86_64
[root@wazuh-client etc]# rpm -qa |grep fileb
filebeat-7.10.2-1.x86_64
[root@wazuh-client etc]#
Is Filebeat running on Wazuh-Manager? Can you share the ossec.conf file also?
yes, filebeat and logstrunning on the server.
[root etc]# systemctl status logstash | head -n 3
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-03-23 02:43:14 UTC; 15h ago
[root etc]# systemctl status filebeat | head -n 3
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-03-22 18:47:53 UTC; 23h ago
[root etc]#
[root etc]# systemctl status filebeat | head -n 3
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-03-22 18:47:53 UTC; 23h ago
[root etc]#
filebeat is also running on the client. here is the ossec.conf on the client, i'm using a frequency of 120 just to speed up the testing
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>120</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>120</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes" whodata="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">/bin,/sbin,/boot</directories>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>10m</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>10m</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
Yectli Huerta
Mar 23, 2022, 2:34:38 PM3/23/22
to Wazuh mailing list
One more thing that I left out, the client is talking to the server
[root@wazuh-server2 etc]# /var/ossec/bin/agent_control -i 001
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: wazuh-client.novalocal
IP address: any/any
Status: Active
Operating system: Linux |wazuh-client.novalocal |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64
Client version: Wazuh v4.2.5
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 2c45c95db2954d2c7d0ea533f09e81a5
Last keep alive: 1648060326
Syscheck last started at: Wed Mar 23 18:31:46 2022 (Scan in progress)
Syscheck last ended at: Wed Mar 23 18:29:45 2022
Rootcheck last started at: Unknown
[root@wazuh-server2 etc]#
Wazuh agent_control. Agent information:
Agent ID: 001
Agent Name: wazuh-client.novalocal
IP address: any/any
Status: Active
Operating system: Linux |wazuh-client.novalocal |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64
Client version: Wazuh v4.2.5
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 2c45c95db2954d2c7d0ea533f09e81a5
Last keep alive: 1648060326
Syscheck last started at: Wed Mar 23 18:31:46 2022 (Scan in progress)
Syscheck last ended at: Wed Mar 23 18:29:45 2022
Rootcheck last started at: Unknown
[root@wazuh-server2 etc]#
Reply all
Reply to author
Forward
0 new messages