0

I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and I am not receiving alerts.

I followed: https://blog.wazuh.com/configure-ossec-to-report-changes-in-the-content-of-a-text-file/ but there are no folders in /var/ossec/queue/diff/ (I waited for a while per the instructions)

I can see the Agent is sending alerts in the alert.log on the Server, but it is mainly random messages 'Login session closed', 'Login session opened', etc. but that is it.

Possibly related, I also tried to restart the agent remotely using /var/ossec/bin/agent_control -R agent_id, which appears to execute successfully on the manager, but the ossec.log on the Agent does not show a restart.

I just want to see it doing its thing. Is alerts.log the only way? Everything seems a little unresponsive.

UPDATE: I can see the sudo to root execution when I edit the file in /test (from the link above), so it must be in communicado. Also, it is alerting on ssh login failures. Real-time monitoring is enabled, I set the frequency to 30 seconds, the log alert level is set to 1, and the server and agent have been restarted.

2
  • Do you have <email_notification>yes</email_notification> in ossec.conf? Also need MTA like sendmail configured. Commented Feb 9, 2018 at 7:47
  • No email notifications setup because no SMTP server. I thought the alerts would be issued to the Server and appear in alerts/alert.log? That is where I am looking. Commented Feb 10, 2018 at 1:45

0

You must log in to answer this question.

Browse other questions tagged .