Hello
everybody,
I have a question
about syscheckd and rootcheckd.
I have a server and
about 14 agents. Each agent has syscheck and rootcheck directives configured.
But as I'm not interested in checking server, I put following directives on
server:
_____________________________________
<localfile>
<log_format>syslog</log_format>
<location>/dev/null</location>
</localfile>
<log_format>syslog</log_format>
<location>/dev/null</location>
</localfile>
...and nothing for
rootcheck.
_____________________________________
Results
are:
- when I start server, I get
following error messages:
2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_files
file configured.
2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_trojans file configured
2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_trojans file configured
2006/09/15 13:20:40 ossec-syscheckd: Started (pid:
7835).
2006/09/15 13:20:40 ossec-syscheckd: No directories to check
2006/09/15 13:20:40 ossec-syscheckd: No directories to check
- and above all, I
never got any alerts about syscheck and rootcheck problems. Maybe ok for
rootcheckd, but not for syscheckd.
==>
So, should I configure some directives on server in order to receive alerts
emails from agents ?
==>
2nd question: when I put a directory in syscheck rules, is Agent going to check
this directory and his children (so, is this recurrent) ? Or should I put each
directory ?
Thanks
very much !
Fred
