Dear Mailing List We are running Ossec 1.5 in the production env. since last one year. We are facing some critical probelm in the integrity checks. The agent is being tweaked to execute the integrity check every 3 minutes (It is not monitoring the entire system only some critical files and folders). While checking the status of logs in /var/ossec/queue/sysheck (on server end) the status is suggesting the files not updated despite of changes. When I am viewing the database the entries are of older size. The snapshot from server end is ( I am also unable to understand different permissions for these files)
*-rwxr----- 1 ossec ossec 597467 Mar 12 13:40 (****xxxx) *.*.*.28->syscheck -rwxr----- 1 ossec ossec 2313687 Mar 18 23:40 (***xxxx) *.*.*.28->syscheck-registry -rwxr----- 1 ossec ossec 401182 Mar 28 17:48 (***s***) *.*.*.30->syscheck -rwxr----- 1 ossec ossec 1684296 Mar 27 22:16 (*******) *.*.*.30->syscheck-registry -rw-r----- 1 ossec ossec 157207 Jan 22 21:22 (****HTTP01) *.*.*.6->syscheck -rw-r----- 1 ossec ossec 425* Mar 20 16:24 (****HTTP02) *.*.*.7->syscheck -rw-r----- 1 ossec ossec 118388 Mar 20 16:36 (****HTTP03) *.*.*.8->syscheck -rw-r----- 1 ossec ossec 118641 Jan 22 22:19 (****HTTP04) *.*.*.9->syscheck* The client configuration is *<ossec_config> <client> <server-ip>x.x.x.x</server-ip> </client>* *<syscheck> <!-- Frequency that syscheck is executed - default to every 6 hours --> <frequency>900</frequency>* *<!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc/shadow,/etc/passwd,/etc/group,/etc/hosts,/opt/IBMIHS/conf/httpd.conf,/opt/IBMIHS/htdocs/en_US/XYSITE/images/common,/opt/IBMIHS/htdocs/en_US/XYSITE/index.html,/etc/gshadow</directories> <!--directories check_all="yes">/bin,/sbin</directories -->* *</syscheck>* *<rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> </rootcheck>* *<active-response> <disabled>yes</disabled> </active-response>* *<!-- Files to monitor (localfiles) -->* *<localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/opt/IBMIHS/logs/error_log</location> </localfile> </ossec_config>* ** I have checked the status through agent control it is suggesting that Sysheck is executing normally at designated interval. I am unable to understand the discrepancy ? Requested you very kind help !! Regards Gagan
