0

we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site:

<syscheck>
  <!-- Frequency that syscheck is executed - default to every 2 hours -->
  <frequency>7200</frequency>

  <directories check_all="yes" realtime="yes">D:\path1</directories>
  <directories check_all="yes" realtime="yes">D:\path2</directories>

  <disabled>no</disabled>  
  <auto_ignore>no</auto_ignore>
</syscheck>

this basically works - except that only the first edit of a file is reported in real time. any subsequent changes of the same file are only reported via the scheduled scans every 7200 seconds but no real time notification is triggered after the first edit.

If I edit another previously untouched file - it works again for the first ever change but not afterwards.

Are there any other settings that could be checked/changed/set to reliable get notified for the file changes? What could be looked at to identify the issue?

It's a little puzzling... Thanks a lot for any input.

dalini
  • 19
  • 5

2 Answers2

1

Answer is: there are somehow miss leading defaults:

  1. you must request realtime monitoring as extra flag on agent side
  2. you must disable auto_ignore in server side as this defaults to yes -> meaning ignoring further udpates from agents after the initial one

When running the agent in debug level 2; it can be seen all files are monitored, changes are detected and data is send to the server. But the server ignores them by default. This is a little confusing/miss leading even if it is documented this way! It should be noted on the real-time flag that one must change the server-side too - the interdependence of those two settings is not obvious!

Confusing is: first change works, but second of same file not! So that's it!

dalini
  • 19
  • 5
0

Perhaps obvious or a silly oversight but was OSSEC restarted after adding path2 on the agent side?

And if so, does the ossec.log reflect that it's correctly monitoring the path2 directory, i.e.

2017/02/08 00:58:31 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'.
2017/02/08 00:58:31 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'.

The log may provide some clue or additional insight.

JSL
  • 21
  • 3
  • well, as it turns out - the agent behaves fine/correctly (can be seen with debug level set to level 2) while sending all changes to the server. So it is really important to set: `no` on the server side to enable the continuous file monitoring as this defaults to yes - meaning not active as auto_ignore does not process further changes after the initial one. ` – dalini Mar 06 '17 at 10:46
  • As the agent does still scan, hash and send the changes to the main system, I'm not sure if I like this default or would tend to the opposite. As you have to set the realtime flag on purpose on the agent site. So this is a little trap/tricky as I must enable realtime monitoring as an extra flag on agent site but also disable auto_ignor on server site to have it working. I don't see the safty here... that might have lead to this default on the server side! – dalini Mar 06 '17 at 10:54