Ok, I have found whereis the problem: my laptop mounts a remote nfs share that contains 20 iso images using 75GB of data ...when syscheck starts, checks all in this nfs share. I have included on ignore section and now all works as expected ...
Sorry for the noise ... carlopmart wrote: > > Oops sorry Daniel, but in my ossec.conf file I have excluded vmguests > directories: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin,/data/software</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/var/log/wtmp</ignore> > <ignore>/etc/cups/ssl</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/blkid/blkid.tab</ignore> > <ignore>/etc/aliases.db</ignore> > <ignore>/etc/prelink.cache</ignore> > <ignore>/data/vmguests</ignore> > > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> > > </syscheck> > > > carlopmart wrote: >> >> Hi Daniel, >> >> Yes I have 3 vm guests under vmware workstation 6.5: >> >> 16K ./lost+found >> 32G ./el5updates >> 2.7G ./centos5 >> 8.3G ./win2k8 >> 43G >> >> But this VMs exists when I have installed version 1.5 without >> problems ... Do you want that I open a bug report??? Or maybe this the >> only real problem?? I can test putting VMs directories out of >> syscheckd config ... >> >> >> Daniel Cid wrote: >>> Hi, >>> >>> Do you have large VMs running on this box? The only reason I can think >>> is that you have >>> very large files that take a while to generate the md5/sha1 checksum. >>> Anyone else seeing >>> this behavior? >>> >>> *btw, can you provide more information to us? ( >>> http://www.ossec.net/wiki/index.php/Community_manual:BugReport ) >>> >>> Thanks, >>> >>> -- >>> Daniel B. Cid >>> dcid ( at ) ossec.net >>> >>> >>> >>> On Fri, Jun 27, 2008 at 11:37 AM, carlopmart <[EMAIL PROTECTED]> >>> wrote: >>>> Please any hints about this?? >>>> >>>> carlopmart wrote: > > -- CL Martinez carlopmart {at} gmail {d0t} com
