Hello, I couldn't find anything in the mailing list about this, nor did I see anything within the wiki or documentation, but I do apologize if this is a question which has been answered previously.
I'm wondering what the proper procedure is from an admin point of view upon a notification of a changed file on a monitored system. If the file change is known and okay, is the procedure to Update (clear) the database for the agent? It's nice having the output of syscheck_control show a quick history of changes for a given agent, that list would zero upon an update (clear). If I update the database for an agent, is there a quick (command-line) method to view a history of changes for that agent, or would it require parsing the logs through ossec-reportd? Lastly, and this may be a useless question, but is it possible to update the database signature for a single file while not updating other changed files on an agent? I could see the argument being that signatures shouldn't be updated unless all changes are known to be good. Thanks, Ross.
