Posts

Showing posts from March, 2017

Experience in folder monitoring with OSSEC

Image
Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it. You can use syscheck to folder monitoring. Reference in:  http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html  and  http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/ To monitor file edit, delete you can use syscheck with realtime monitor. But to monitor  file added, you need: Add to local_rule.xml Edit ossec.conf: Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client.  Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server). This is my result: ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window an