Flood of "File added to the system" alerts after new agent install

[randallsevery]

Every time I add a new agent to my OSSEC installation (version 3.3.0 on CentOS 7 servers), I get a flood of "File added to the system" alerts, even though the files are all of various ages and have definitely not been updated recently. According to all of the research I did on this issue online, I am supposed to be able to reset the baseline scan for a particular agent by issuing the following command on the Manager server:

/var/ossec/bin/syscheck_control -u AGENT_ID

But even after doing that, and for a while after the agent has been installed, I continue to get new file alerts for already existing files on the agent server.

What is the recommended way to install and configure a new agent to avoid getting thousands of new file alerts in the process?

[ddpbsd]

Do you have the alert on new files setting enabled?

[randallsevery]

Yes, I have the set the config option "<alert_new_files>yes</alert_new_files>", since the primary purpose of this OSSEC installation is to detect new files that have been added by malware on the servers. But I only want alerts for new files that have been added after the OSSEC agent has been installed, not thousands of alerts for all of the files that have been on the server for months or years.

[atomicturtle]

There are a few different ways to handle that. The condition here is that you're adding an new agent and the database for that system is empty at that point. So obviously every file is a "new" file in that condition, since the database for that agent is empty. You could do a things here:

1. Disable alert_new_files and wait for the database on the new agent to finish generation, then re-enable it
2. Create a rule that ignores new files from just that agent, and then turn that rule off when the syscheck db is complete

[randallsevery]

Thank you for the quick response. I wonder if the syscheck_control command that is discussed as the way of resetting the baseline didn't do anything because the database on the new agent didn't finish generation. I'll try the option of disabling the alert_new_files option temporarily. What is the best way to determine that the database on the new agent has finished generation? It seems like it can take a while, at least from the timing of the alerts that I've been getting. The main problem I've had with the flood of alerts for new files is that it seems to overwhelm the ossec-maild process, which crashes, and unless I notice that it's no longer running I won't get any alerts for a while.

[ddpbsd]

The agents log something when they're done with a syscheck run. Some of my syscheck logs look like this:

2019/11/29 15:14:15 ossec-analysisd: SyscheckInit completed.
2019/11/29 15:14:24 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2019/11/29 15:14:24 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2019/11/29 15:18:55 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2019/11/29 15:19:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2019/11/29 15:29:27 ossec-syscheckd: INFO: Starting syscheck scan.
2019/11/29 15:34:36 ossec-syscheckd: INFO: Ending syscheck scan.

I'd be interested in any debugging info you have on maild crashes.

[arrandr]

In really old versions of ossec (v2.9.3) we didn't get alerts for new files during the database pre-scan. This was ideal as we didn't get a flood of alerts when new instances were installed but we did get alerts for new files created after the pre-scan completed.

We don't want to disable <alert_new_files> then enable after the scan is complete due to other constraints we have around automated deployments.

Did anyone find a way to enable <alert_new_files> without getting the flood of alerts during the database pre-scan?