OSSEC is amazing tool and helps you be more secure by notifying you of any potential problems. However when it comes to monitoring web servers some additional configuration is necessary to get it working properly.
In this quick write up we will look into making changes to default configuration when OSSEC running on web server.
We assume you have OSSEC Client / Server deployment and OSSEC client installed on websrv.local
After successful OSSEC client installation we will be adjusting Syscheck configuration. Syscheck is the name of the integrity checking process inside OSSEC. It runs periodically to check weather or not changes were made to any monitored files on the system.
Add web root to syscheck scanner
We will now add our web root directory so it can be scanned for changes. This has to be done on the OSSEC agent system.
This is optional but we can force complete syscheck on our web server. On your OSSEC server we need to find agent id
Now we can force scan our web server
/var/ossec/bin/./agent_control -r -u "agentID"
Now lets check to make sure it our scan was executed
/var/ossec/bin/./agent_control -i "agentID"
And finally lest see list of changes and modified files
/var/ossec/bin/.syscheck_control -i "agentID"