Asset Management
Atomic Enterprise OSSEC (AEO) supports centralized Asset Managent for Agent and Agentless devices.
Overview
File Integrity Monitoring
Anti-Virus
Log Monitoring
Scheduled Tasks (Scanning, and Reporting)
1.0 File Integrity Monitoring (FIM)
FIM settings are configurable by host platform (Linux or Windows) and includes a default policy suitable for generic configurations

1.1 Global Settings

1.1.1 Scan Schedule
Declare time and/or day of the week to run static scans. Generally this is used for environments that do not support real-time FIM
1.1.2 Auto-Ignore Frequently Modified
Automatically do not report changes to a file that changes 3 times in succession
1.1.3 Alert on new file creation
Alert when new files are added to the system
1.1.4 Scan on startup
Run a FIM scan when the agent starts
1.2 Watch
Note
Default Windows and Linux profiles are included

1.2.1 Path
Path of the file, or registry key to monitor.
Note
When declaring paths, always use unix style /. Example: C:/exampledirectory
1.2.2 Realtime
Enable realtime detection of changes.
Note
This is safe to enable even if the (legacy) environment does not support real-time detection
1.2.3 Report
Track changes to files made in the enviroment. ASCII file deltas are included in the alert. Files are maintained on the agent in a revisioned directory under /var/ossec/queue/diff or C:/Program Files (x86)/ossec-agent/queue/diff/
Note
This can increase disk space usage
1.2.4 Whodata
Include information on the user that made the change. This option is supported on all modern operating systems
1.2.5 Arch
(Windows Only) Used to limit registry settings to a specific architecture, i386 or x86_64. This option defaults to checking both
1.2.6 Regex restrict
Limit FIM to simple regular expressions. Example: .js$|.css$|.html$
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
1.3 Ignore

1.3.1 Path
Path or simple regular expression to ignore.
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.Note
Globbing is not supported at this time
1.3.2 Is Regex
Toggle the field used in Path is a simple regular expression
2.0 Log File Monitoring
AEO can perform IDS monitoring of Log files, windows eventchannels, or processes.

2.1 Path
Path to log file, or command to run. This value supports globbing on Linux, and can be combined with the IgnoreBin command to automatically exclude binary files when using the globbing option.
Note
When declaring paths, always use unix style /. Example: C:/exampledirectory
2.2 Format
Format of the log file type to use.
apache: Apache format logs
audit : Linux Audit logs
djb-multilog : Daniel J. Bernstein’s multilog output.
command: Used to run commands to generate log streams. Each line is treated as a separate event
Note
For security reasons, agents are configured to not accept commands from the server by default.This can be allowed in internal_options.conf
eventchannel: (Windows Only) used to declare a windows event channel combined with the Query option
eventlog: (Windows Only) legacy windows logging format on Windows XP, 2003 server, etc
full_command: Used to run commands to generate log streams. The full output is counted as a single event.
Note
For security reasons, agents are configured to not accept commands from the server by default.This can be allowed in internal_options.conf
iis: (Windows Only) Microsoft IIS web server
multiline: This format type is for log messages consisting of multiple lines. The number of lines used per message should be the same, and the number of lines should be specified
mysql_log: Mysql log format
nmapg: Nmap’s grepable log format.
postgresql_log: Postgresql’s log format
snort-fast: Snort’s fast text output format.
snort-full: Snort’s full text output format.
squid: Squid’s log format
syslog: syslog is used for plain text files with one log message per line. The log messages do not have to be in a syslog format.
2.3 Label
Used to add a custom json key->value in alerts.json for log events from this path or command.
2.4 Query
Eventchannel Only, Microsoft Windows eventlog format, using the EventApi. This should allow OSSEC to monitor both Windows eventlogs and the more recent Applications and Services logs.
2.5 Frequency
Used with command and full_command, Specifies the time in seconds between each check.
2.6 Ignore Bin
Used with Path globbing only, this restricts log parsing to ASCII only files.
2.7 Reconnect
Eventchannel only, specifies the time to wait before attempting to re-connect to the windows event channel
3.0 Scheduled Tasks: Malware Scan
The Atomic OSSEC task scheduler can be configured to automatically run scans, or generate reports globally, or at the group level.
Requires
Atomic OSSEC agent 4.4.3 and above
Clamav installation (available from the hub repo on RHEL/Centos/Rocky/AIX)
Step 1: Configure Scan

4.0 Scheduled Tasks: Malware Report
For scans configured in section 3.0, PDF reports can be generated on a defined schedule.
Requires
Scans configured in section 3.0
Step 1: Configure report

Step 2: Download Report
Can be found under Reporting->Report History
