Hi Fred,
Response inline..
On 9/22/06, Fred <[EMAIL PROTECTED]> wrote:
Hello everybody,
I have a question about syscheckd and rootcheckd.
I have a server and about 14 agents. Each agent has syscheck and rootcheck
directives configured. But as I'm not interested in checking server, I put
following directives on server:
If you don't want to check the server, just don't add any localfile entry or
any rootcheck entry. I don't know if adding /dev/null may cause any problem
since it is a char device.
- when I start server, I get following error messages:
2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_files file configured.
2006/09/22 06:47:52 ossec-rootcheck: No rootcheck_trojans file configured
2006/09/15 13:20:40 ossec-syscheckd: Started (pid: 7835).
2006/09/15 13:20:40 ossec-syscheckd: No directories to check
That's fine on the server. It means it is not doing anything locally.. Can you
show us your full log message (for server and one agent at least)?
- and above all, I never got any alerts about syscheck and rootcheck
problems. Maybe ok for rootcheckd, but not for syscheckd.
Is there anything on your servers logs? (/var/ossec/logs/ossec.log) Can the
agents communicate with the server (is there anything at
/var/ossec/queue/agent-info)? What /var/ossec/logs/alerts/alerts.log
has?
Btw, which version are you using?
==> So, should I configure some directives on server in order to receive
alerts emails from agents ?
You only need analysisd and remoted configured to receive events from the
agents. Logcollector, syscheckd and rootcheckd are not required.
==> 2nd question: when I put a directory in syscheck rules, is Agent going
to check this directory and his children (so, is this recurrent) ? Or should
I put each directory ?
It is recursive. So if you want to monitor the /etc directory, just give /etc
and it will monitor all sub directories and files.
Thanks very much !
Fred
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
