Hi David, Thanks for tracking this down. By default we ignore /proc to avoid this kind of problem, but we don't check for it on other places of the system. It would be nice to have this information in the wiki if you can post it in there (or anyone else). I will also look in the code to see if we can change anything to avoid it (maybe by looking at the proc filesystem or something like that)...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/17/07, David Williams <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Adding an absurd amount of verbose() calls I tracked down my > problem: I was trying to verify integrity of named files in my > Fedora named chroot jail. read_dir() in create_db.c never finished > in the /var/named/chroot/proc directory. > So if anyone else running named chrooted in /var/named/chroot adds > <directories check_all="yes">/var/named</directories> to ossec.conf, > you probably want to add a corresponding > <ignore>/var/named/chroot/proc</ignore>. I imagine this would be a > problem for other chrooted software; however, once I tracked down > where the problem was and added the ignore line, I stopped > troubleshooting. It's not clear to me exactly why it was unhappy, > but it is clear that checking the integrity of things in /proc does > not make much sense -- those are too ephemeral. > -David > > David Williams wrote: > > Hi, > > I have a small OSSEC installation and one of my agents won't check > > on more than one file. I've let it run for a while (a day or more). > > I'm getting alerts about logs so the communication between client > > and server is OK, and I see the syscheck file grow but only by one > > or two files for every restart of the agent. syscheck is running > > (status and top both report it working fine). > > Are there any troubleshooting tips I should try or do I just > > recreate the agent and see if that fixes it? > > Thanks for any pointers, > > -David > > - -- > _______________________________________________ > GPG (http://www.gnupg.org/) key available from: > http://www.kayakero.net/per/david/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHFl0zCzuSgviBh00RAqZiAJ4/gMFzpRNwhWgmcEGXIYOEu99njQCgyxf5 > CtojCew1Gba+3Me0SQJJ/14= > =rmq9 > -----END PGP SIGNATURE----- >
