Hi Gagan, Have you tried updating it to the latest version? We fixed some issues and also added the option to run integrity checks immediately with the agent_control tool, which can help you test this.
Btw, the /var/ossec/queue/sysheck file is not a log, but a database with all the entries. So, even if you run the syscheck scan it will only be updated if there is any change. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 31, 2009 at 5:04 AM, Gagan bhatia <[email protected]> wrote: > Dear Mailing List > > We are running Ossec 1.5 in the production env. since last one year. We are > facing some critical probelm in the integrity checks. > The agent is being tweaked to execute the integrity check every 3 minutes > (It is not monitoring the entire system only some critical files and > folders). While checking the status of logs in /var/ossec/queue/sysheck (on > server end) the status is suggesting the files not updated despite of > changes. When I am viewing the database the entries are of older size. > The snapshot from server end is ( I am also unable to understand different > permissions for these files) > > -rwxr----- 1 ossec ossec 597467 Mar 12 13:40 (****xxxx) *.*.*.28->syscheck > -rwxr----- 1 ossec ossec 2313687 Mar 18 23:40 (***xxxx) > *.*.*.28->syscheck-registry > -rwxr----- 1 ossec ossec 401182 Mar 28 17:48 (***s***) *.*.*.30->syscheck > -rwxr----- 1 ossec ossec 1684296 Mar 27 22:16 (*******) > *.*.*.30->syscheck-registry > -rw-r----- 1 ossec ossec 157207 Jan 22 21:22 (****HTTP01) *.*.*.6->syscheck > -rw-r----- 1 ossec ossec 425* Mar 20 16:24 (****HTTP02) *.*.*.7->syscheck > -rw-r----- 1 ossec ossec 118388 Mar 20 16:36 (****HTTP03) *.*.*.8->syscheck > -rw-r----- 1 ossec ossec 118641 Jan 22 22:19 (****HTTP04) *.*.*.9->syscheck > > The client configuration is > <ossec_config> > <client> > <server-ip>x.x.x.x</server-ip> > </client> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours --> > <frequency>900</frequency> > <!-- Directories to check (perform all possible verifications) --> > <directories > check_all="yes">/etc/shadow,/etc/passwd,/etc/group,/etc/hosts,/opt/IBMIHS/conf/httpd.conf,/opt/IBMIHS/htdocs/en_US/XYSITE/images/common,/opt/IBMIHS/htdocs/en_US/XYSITE/index.html,/etc/gshadow</directories> > <!--directories check_all="yes">/bin,/sbin</directories --> > </syscheck> > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > </rootcheck> > <active-response> > <disabled>yes</disabled> > </active-response> > <!-- Files to monitor (localfiles) --> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/opt/IBMIHS/logs/error_log</location> > </localfile> > </ossec_config> > > I have checked the status through agent control it is suggesting that > Sysheck is executing normally at designated interval. I am unable to > understand the discrepancy ? > Requested you very kind help !! > > Regards > Gagan >
