Re: [ossec-list] ossec email alerting on <ignore> folders
86 views
Skip to first unread message
dan (ddp)
Dec 20, 2012, 8:27:33 AM12/20/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 5:15 PM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> I am monitoring my inetpub folder on a webserver and ignoring log
> files/folders within inetpub. For some reason ossec sends me email alerts
> for files/folders that I am ignoring. Can someone look at my config and help
> me understand what's wrong? (Dan, looking at you buddy :) :) :))
>
> From OSSEC.conf on the agent:
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" check_all="yes">C:\inetpub</directories>
> <ignore>C:\Inetpub\mailroot</ignore>
> <ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
> <ignore>C:\Inetpub\wwwroot\app2\logs</ignore>
> <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore>
> <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore>
> </syscheck>
> </ossec_config>
>
> I keep getting email alerts like:
>
> Rule: 550 fired (level 14) -> "Integrity checksum changed of monitored
> file."
> Portion of the log(s):
>
> Integrity checksum changed for:
> 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt'
>
You don't have this path defined above. You have
"<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead.
>
> OSSEC is correct that the file it is showing me has changed but I have
> marked that folder to be ignored. I know that ossec scans all files/folders
> but should choose to alert on files NOT being ignored. Is my config bad?
> Should I add my ignores to the manager and not the agent conf?
>
>
> Any help is greatly appreciated. Thanks in advance.
>
>
>
Make sure you restart the agent processes after adding the correct ignores.
<lsilv...@chargeanywhere.com> wrote:
> I am monitoring my inetpub folder on a webserver and ignoring log
> files/folders within inetpub. For some reason ossec sends me email alerts
> for files/folders that I am ignoring. Can someone look at my config and help
> me understand what's wrong? (Dan, looking at you buddy :) :) :))
>
> From OSSEC.conf on the agent:
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" check_all="yes">C:\inetpub</directories>
> <ignore>C:\Inetpub\mailroot</ignore>
> <ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
> <ignore>C:\Inetpub\wwwroot\app2\logs</ignore>
> <ignore>C:\Inetpub\wwwroot\app1\Imports</ignore>
> <ignore>C:\Inetpub\wwwroot\app2\Imports</ignore>
> </syscheck>
> </ossec_config>
>
> I keep getting email alerts like:
>
> Rule: 550 fired (level 14) -> "Integrity checksum changed of monitored
> file."
> Portion of the log(s):
>
> Integrity checksum changed for:
> 'C:\Inetpub/wwwroot/app1/Log/user.xxxxxxx-12-19-2012.txt'
>
You don't have this path defined above. You have
"<ignore>C:\Inetpub\wwwroot\app1\logs</ignore>" instead.
>
> OSSEC is correct that the file it is showing me has changed but I have
> marked that folder to be ignored. I know that ossec scans all files/folders
> but should choose to alert on files NOT being ignored. Is my config bad?
> Should I add my ignores to the manager and not the agent conf?
>
>
> Any help is greatly appreciated. Thanks in advance.
>
>
>
Make sure you restart the agent processes after adding the correct ignores.
dan (ddp)
Dec 20, 2012, 9:21:20 AM12/20/12
to ossec...@googlegroups.com
On Thu, Dec 20, 2012 at 9:13 AM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> Forgive me, I was removing identifying information and mistyped.
>
> This is from my agent:
> Integrity checksum changed for:
> 'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt'
>
Did you restart the OSSEC processes? I don't know if the case matters
or not. I guess you could also try an sregex:
<ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore>
>
> Do I add any ignores to the manager or is it strictly agent based?
>
IIRC, if you add them to the manager they will be ignored from all
agents. If you add them to the agents they will only be ignored on
those agents.
> Thank you so so so much. To show my appreciation, I am trying to help you
> out answering questions in the group :)
>
> Thanks
<lsilv...@chargeanywhere.com> wrote:
> Forgive me, I was removing identifying information and mistyped.
>
> This is from my agent:
> <ignore>C:\Inetpub\wwwroot\app1\logs</ignore>
>
>
> and this is the alert I get:
>
>
> Integrity checksum changed for:
> 'C:\Inetpub/wwwroot/app1/Logs/user.xxxxxxx-12-19-2012.txt'
>
Did you restart the OSSEC processes? I don't know if the case matters
or not. I guess you could also try an sregex:
<ignore type="sregex">^C:\Inetpub/wwwroot/app1/Logs</ignore>
>
> Do I add any ignores to the manager or is it strictly agent based?
>
IIRC, if you add them to the manager they will be ignored from all
agents. If you add them to the agents they will only be ignored on
those agents.
> Thank you so so so much. To show my appreciation, I am trying to help you
> out answering questions in the group :)
>
> Thanks
Lou Silverman
Dec 20, 2012, 1:09:25 PM12/20/12
to ossec...@googlegroups.com, dan (ddp)
I did restart ossec process at the time. I have added the regex and
will being experimenting with the results. I will report back.
Help me confirm if this is true:
Lets say I am monitoring directory C:\monitored but ignoring directory C:\monitored\logs. If changes are made to a file in a subdir of C:\monitored\logs (ex, c:\monitored\logs\logdir1), will OSSEC alert to that? It then makes sense to then use the regex as we want to ignore anything that begins with c:\monitored\logs.
Thanks
Lou
Help me confirm if this is true:
Lets say I am monitoring directory C:\monitored but ignoring directory C:\monitored\logs. If changes are made to a file in a subdir of C:\monitored\logs (ex, c:\monitored\logs\logdir1), will OSSEC alert to that? It then makes sense to then use the regex as we want to ignore anything that begins with c:\monitored\logs.
Thanks
Lou
dan (ddp)
Dec 20, 2012, 3:16:03 PM12/20/12
to ossec...@googlegroups.com
On Thu, Dec 20, 2012 at 1:21 PM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> Still the same issue. I upgraded my manager to 2.7, not my agents.
>
> I am monitoring c:\inetpub but ignoring regex ^C:\inetpub\mailroot
>
> I continue to get alerts like:
>
> Integrity checksum changed for:
> 'C:\Inetpub/mailroot/Badmail/348972394723894723894.BDR'
>
>
> Here is a snippet of my config:
>
>
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" check_all="yes">C:\Inetpub</directories>
> <ignore type="sregex">^C:\Inetpub\mailroot</ignore>
>
> </syscheck>
>
>
>
> Any ideas what I am doing wrong?
>
> Thanks!!!
>
Not really. The only strange thing I see is the direction of your
slashes. From an example in the ossec.conf:
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
Other than that, no clue.
<lsilv...@chargeanywhere.com> wrote:
> Still the same issue. I upgraded my manager to 2.7, not my agents.
>
> I am monitoring c:\inetpub but ignoring regex ^C:\inetpub\mailroot
>
> I continue to get alerts like:
>
> Integrity checksum changed for:
> 'C:\Inetpub/mailroot/Badmail/348972394723894723894.BDR'
>
>
> Here is a snippet of my config:
>
>
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" check_all="yes">C:\Inetpub</directories>
> <ignore type="sregex">^C:\Inetpub\mailroot</ignore>
>
> </syscheck>
>
>
>
> Any ideas what I am doing wrong?
>
> Thanks!!!
>
Not really. The only strange thing I see is the direction of your
slashes. From an example in the ossec.conf:
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
Other than that, no clue.
Lou Silverman
Dec 20, 2012, 3:39:44 PM12/20/12
to ossec...@googlegroups.com
I thought it was very odd that the email alerts I receive display the
slashes as if it were a linux box. I always wrote it off as a funky
linux manager / windows agent phenomena :)
I am now experimenting with writing my <ignore> rules using the forward
slashes. Rather than ignoring c:\monitored\logs I am trying
c:\monitored/logs
I will report back my results!
Thanks
Lou
slashes as if it were a linux box. I always wrote it off as a funky
linux manager / windows agent phenomena :)
I am now experimenting with writing my <ignore> rules using the forward
slashes. Rather than ignoring c:\monitored\logs I am trying
c:\monitored/logs
I will report back my results!
Thanks
Lou
Reply all
Reply to author
Forward
0 new messages