I configured an OSSEC server on Ubuntu 20.04 to monitor changes on client machines (also Ubuntu 20.04).
My configuration aims to monitor in real time changes that occur in the default system folders and in the Apache server folder (new files, modified files and file deletion), notifying me in real time by email.
Even with the
/var/www folder defined in
ossec.conf (on client machines), when creating a file on it, I don’t receive notifications, even restarting the server to test if it will send the notification.
I am only notified when I restart the machine (or after the standard 22 hours of scan) that there have been changes in
ossec.conf, but nothing related to
What can I have done wrong in my configuration?
Configuration of Client Machines (
<ossec_config> ... <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/var/www</directories> ... </ossec_config>
Server Configuration (
<rule id="554" level="7" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>