Re: [ossec-list] syscheck error

[dan (ddp)]

On Mon, Apr 23, 2018 at 6:34 PM, Cooper Graf  wrote:
> Haha hmm. So any idea why it's throwing an error for me? Is a new release
> slated to come out soon?
>

It's supposed to be soon, I'll have to prod the release manager.
It happens in glob() somewhere, but I haven't looked at it further
than that yet.

> On Mon, Apr 23, 2018 at 4:29 PM dan (ddp)  wrote:
>>
>> On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp)  wrote:
>> > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf 
>> > wrote:
>> >> Is there documentation that explains what a glob is? This worked fine
>> >> with
>> >> 2.7.
>> >>
>> >
>> > I don't think so. I just tried it on a 3.x system and didn't get the
>> > error. Still waiting on results to see if it checks properly.
>> >
>> >   
>> > 
>> > 1800
>> > no
>> >
>> > 
>> > /etc,/usr/bin,/usr/sbin
>> > /bin,/sbin,/boot
>> > /var/test
>> > /var/test2
>> > /home/*/.ssh
>> >
>> > ix# grep home /var/ossec/logs/ossec.log
>> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
>> > '/home/ansible/.ssh', with options perm | size | owner | group |
>> > md5sum | sha256sum.
>> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
>> > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum |
>> > sha256sum.
>> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
>> > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum
>> > | sha256sum.
>> >
>>
>> Hit send too early, the files were successfully checked and catalogued
>> on this system.
>>
>> >
>> > And on a slightly older agent:
>> >   
>> > 
>> > 79200
>> >
>> > 
>> > /etc,/usr/bin,/usr/sbin
>> > /bin,/sbin,/boot
>> > /home/*/.ssh
>> >
>> > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log
>> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
>> > '/home/ansible/.ssh', with options perm | size | owner | group |
>> > md5sum | sha1sum.
>> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
>> > '/home/checker/.ssh', with options perm | size | owner | group |
>> > md5sum | sha1sum.
>> >
>> >
>> >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp)  wrote:
>> >>>
>> >>>
>> >>>
>> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:
>> 
>>  I am getting the following error from syscheckd when starting up
>>  OSSEC
>>  2.9.3:
>> 
>>  2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
>>  'sshd_rules.xml'
>>  2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>>  pattern: '/home/*/.ssh'.
>>  2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
>>  'sshd_rules.xml'
>>  2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>>  pattern: '/home/*/.ssh/'.
>> 
>>  Inside of my ossec.conf file, I have this line, which seems to be
>>  generating the error:
>> 
>>  /home/*/.ssh/
>> 
>>  Any idea what is invalid about that pattern?
>> 
>>  --
>> >>>
>> >>>
>> >>> I don't think globs are valid in the syscheck configuration.
>> >>>
>> >>>
>> 
>> 
>>  ---
>>  You received this message because you are subscribed to the Google
>>  Groups
>>  "ossec-list" group.
>>  To unsubscribe from this group and stop receiving emails from it,
>>  send an
>>  email to ossec-list+unsubscr...@googlegroups.com.
>>  For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an
>> >>> email to ossec-list+unsubscr...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an
>> >> email to ossec-list+unsubscr...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to 

Re: [ossec-list] syscheck error

[Cooper Graf]

Haha hmm. So any idea why it's throwing an error for me? Is a new release
slated to come out soon?

On Mon, Apr 23, 2018 at 4:29 PM dan (ddp)  wrote:

> On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp)  wrote:
> > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf 
> wrote:
> >> Is there documentation that explains what a glob is? This worked fine
> with
> >> 2.7.
> >>
> >
> > I don't think so. I just tried it on a 3.x system and didn't get the
> > error. Still waiting on results to see if it checks properly.
> >
> >   
> > 
> > 1800
> > no
> >
> > 
> > /etc,/usr/bin,/usr/sbin
> > /bin,/sbin,/boot
> > /var/test
> > /var/test2
> > /home/*/.ssh
> >
> > ix# grep home /var/ossec/logs/ossec.log
> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> > '/home/ansible/.ssh', with options perm | size | owner | group |
> > md5sum | sha256sum.
> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum |
> > sha256sum.
> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum
> > | sha256sum.
> >
>
> Hit send too early, the files were successfully checked and catalogued
> on this system.
>
> >
> > And on a slightly older agent:
> >   
> > 
> > 79200
> >
> > 
> > /etc,/usr/bin,/usr/sbin
> > /bin,/sbin,/boot
> > /home/*/.ssh
> >
> > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log
> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
> > '/home/ansible/.ssh', with options perm | size | owner | group |
> > md5sum | sha1sum.
> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
> > '/home/checker/.ssh', with options perm | size | owner | group |
> > md5sum | sha1sum.
> >
> >
> >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp)  wrote:
> >>>
> >>>
> >>>
> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:
> 
>  I am getting the following error from syscheckd when starting up OSSEC
>  2.9.3:
> 
>  2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
>  'sshd_rules.xml'
>  2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>  pattern: '/home/*/.ssh'.
>  2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
>  'sshd_rules.xml'
>  2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>  pattern: '/home/*/.ssh/'.
> 
>  Inside of my ossec.conf file, I have this line, which seems to be
>  generating the error:
> 
>  /home/*/.ssh/
> 
>  Any idea what is invalid about that pattern?
> 
>  --
> >>>
> >>>
> >>> I don't think globs are valid in the syscheck configuration.
> >>>
> >>>
> 
> 
>  ---
>  You received this message because you are subscribed to the Google
> Groups
>  "ossec-list" group.
>  To unsubscribe from this group and stop receiving emails from it,
> send an
>  email to ossec-list+unsubscr...@googlegroups.com.
>  For more options, visit https://groups.google.com/d/optout.
> >>>
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+unsubscr...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck error

[dan (ddp)]

On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp)  wrote:
> On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf  wrote:
>> Is there documentation that explains what a glob is? This worked fine with
>> 2.7.
>>
>
> I don't think so. I just tried it on a 3.x system and didn't get the
> error. Still waiting on results to see if it checks properly.
>
>   
> 
> 1800
> no
>
> 
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin,/boot
> /var/test
> /var/test2
> /home/*/.ssh
>
> ix# grep home /var/ossec/logs/ossec.log
> 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> '/home/ansible/.ssh', with options perm | size | owner | group |
> md5sum | sha256sum.
> 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> '/home/ddp/.ssh', with options perm | size | owner | group | md5sum |
> sha256sum.
> 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
> '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum
> | sha256sum.
>

Hit send too early, the files were successfully checked and catalogued
on this system.

>
> And on a slightly older agent:
>   
> 
> 79200
>
> 
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin,/boot
> /home/*/.ssh
>
> root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log
> 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
> '/home/ansible/.ssh', with options perm | size | owner | group |
> md5sum | sha1sum.
> 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
> '/home/checker/.ssh', with options perm | size | owner | group |
> md5sum | sha1sum.
>
>
>> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp)  wrote:
>>>
>>>
>>>
>>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:

 I am getting the following error from syscheckd when starting up OSSEC
 2.9.3:

 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
 'sshd_rules.xml'
 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
 pattern: '/home/*/.ssh'.
 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
 'sshd_rules.xml'
 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
 pattern: '/home/*/.ssh/'.

 Inside of my ossec.conf file, I have this line, which seems to be
 generating the error:

 /home/*/.ssh/

 Any idea what is invalid about that pattern?

 --
>>>
>>>
>>> I don't think globs are valid in the syscheck configuration.
>>>
>>>


 ---
 You received this message because you are subscribed to the Google Groups
 "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck error

[dan (ddp)]

On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf  wrote:
> Is there documentation that explains what a glob is? This worked fine with
> 2.7.
>

I don't think so. I just tried it on a 3.x system and didn't get the
error. Still waiting on results to see if it checks properly.

  

1800
no


/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/var/test
/var/test2
/home/*/.ssh

ix# grep home /var/ossec/logs/ossec.log
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ansible/.ssh', with options perm | size | owner | group |
md5sum | sha256sum.
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ddp/.ssh', with options perm | size | owner | group | md5sum |
sha256sum.
2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory:
'/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum
| sha256sum.


And on a slightly older agent:
  

79200


/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/home/*/.ssh

root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log
2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
'/home/ansible/.ssh', with options perm | size | owner | group |
md5sum | sha1sum.
2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory:
'/home/checker/.ssh', with options perm | size | owner | group |
md5sum | sha1sum.


> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp)  wrote:
>>
>>
>>
>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:
>>>
>>> I am getting the following error from syscheckd when starting up OSSEC
>>> 2.9.3:
>>>
>>> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
>>> 'sshd_rules.xml'
>>> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>>> pattern: '/home/*/.ssh'.
>>> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
>>> 'sshd_rules.xml'
>>> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>>> pattern: '/home/*/.ssh/'.
>>>
>>> Inside of my ossec.conf file, I have this line, which seems to be
>>> generating the error:
>>>
>>> /home/*/.ssh/
>>>
>>> Any idea what is invalid about that pattern?
>>>
>>> --
>>
>>
>> I don't think globs are valid in the syscheck configuration.
>>
>>
>>>
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck error

[Cooper Graf]

Is there documentation that explains what a glob is? This worked fine with
2.7.

On Mon, Apr 23, 2018 at 12:53 PM dan (ddp)  wrote:

>
>
> On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:
>
>> I am getting the following error from syscheckd when starting up OSSEC
>> 2.9.3:
>>
>> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
>> 'sshd_rules.xml'
>> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>> pattern: '/home/*/.ssh'.
>> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
>> 'sshd_rules.xml'
>> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
>> pattern: '/home/*/.ssh/'.
>>
>> Inside of my ossec.conf file, I have this line, which seems to be
>> generating the error:
>>
>> /home/*/.ssh/
>>
>> Any idea what is invalid about that pattern?
>>
>> --
>>
>
> ​I don't think globs are valid in the syscheck configuration.​
>
>
>
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck error

[dan (ddp)]

On Mon, Apr 16, 2018 at 2:08 PM, Cooper  wrote:

> I am getting the following error from syscheckd when starting up OSSEC
> 2.9.3:
>
> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file:
> 'sshd_rules.xml'
> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid
> pattern: '/home/*/.ssh'.
> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file:
> 'sshd_rules.xml'
> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid
> pattern: '/home/*/.ssh/'.
>
> Inside of my ossec.conf file, I have this line, which seems to be
> generating the error:
>
> /home/*/.ssh/
>
> Any idea what is invalid about that pattern?
>
> --
>

​I don't think globs are valid in the syscheck configuration.​



>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck error with large files

[Christopher Moraes]

I figured out what the problem is -

OSSEC gets the file size and stores it in an 'int'.   For large files 
2GB, the value in the int overflow into a negative range.  When ossec sees
a negative value for size, it assumes that the file has been deleted.

So I guess the fix would be to change the variable holding the size to a
long instead of an int.


On Wed, Apr 11, 2012 at 10:40 AM, Christopher Moraes
cmoraes@gmail.comwrote:

 OSSEC running on Debian (2.6.31.6 kernel) on a 64 bit env.

 I have noticed a similar problem on RHEL 5 also.  Though the error is
 different.  (Size goes into negative values)


 On Wed, Apr 11, 2012 at 9:15 AM, dan (ddp) ddp...@gmail.com wrote:

 What OS?

 On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes
 cmoraes@gmail.com wrote:
  Hi,
 
  Has anyone noticed a bug when running syscheck with large files ( 2
 GB)?
 
  I created a test file of 750 MB and ran syscheck.  The file was added
  correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck
 
 
 +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b
  !1334071299 /var/log/remote/large-file.log
 
  I then appended logs to the file to create a 3GB file
  -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log
 
  I ran syscheck again and then noticed a weird alert
 
  ** Alert 1334072743.333516: mail  - ossec,syscheck,
  2012 Apr 10 11:45:43 cbvmalv01-syscheck
  Rule: 553 (level 7) - 'File deleted. Unable to retrieve checksum.'
  Src IP: (none)
  User: (none)
  File '/var/log/remote/large-file.log' was deleted. Unable to retrieve
  checksum.
 
  The file has not been deleted and is still present in the directory.
 
  Additionally, I see that the syscheck DB shows the file as deleted, but
 with
  a new entry showing the same file with 1 change.
 
 
 #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b
  !1334071299 /var/log/remote/large-file.log
 
 !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830
  !1334072743 /var/log/remote/large-file.log
 
  Also, the file size is wrong (1273172824 instead of 3021794472)
 
  Has anyone else noticed this?  Is there a workaround or a fix?
 
  Regards,
  Chris
 
 

Re: [ossec-list] syscheck error with large files

[dan (ddp)]

What OS?

On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes
cmoraes@gmail.com wrote:
 Hi,

 Has anyone noticed a bug when running syscheck with large files ( 2 GB)?

 I created a test file of 750 MB and ran syscheck.  The file was added
 correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck

 +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b
 !1334071299 /var/log/remote/large-file.log

 I then appended logs to the file to create a 3GB file
 -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log

 I ran syscheck again and then noticed a weird alert

 ** Alert 1334072743.333516: mail  - ossec,syscheck,
 2012 Apr 10 11:45:43 cbvmalv01-syscheck
 Rule: 553 (level 7) - 'File deleted. Unable to retrieve checksum.'
 Src IP: (none)
 User: (none)
 File '/var/log/remote/large-file.log' was deleted. Unable to retrieve
 checksum.

 The file has not been deleted and is still present in the directory.

 Additionally, I see that the syscheck DB shows the file as deleted, but with
 a new entry showing the same file with 1 change.

 #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b
 !1334071299 /var/log/remote/large-file.log
 !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830
 !1334072743 /var/log/remote/large-file.log

 Also, the file size is wrong (1273172824 instead of 3021794472)

 Has anyone else noticed this?  Is there a workaround or a fix?

 Regards,
 Chris