Have a 2.2 server and client set up on CentOS 5.3. Have made modifications for new file alerts, but something seems wrong.
Created a new file, and received an alert for the new file: Received From: (db02) 192.168.1.30->syscheck Rule: 554 fired (level 7) -> "File added to the system." But the file does not show up in a syscheck_control run for the agent: # /var/ossec/bin/syscheck_control -i 001 Integrity changes for agent 'db02 (001) - 192.168.1.30': Changes for 2009 Oct 20: 2009 Oct 20 16:48:48,0 - /etc/httpd/conf.d/foo.conf 2009 Oct 20 16:58:21,0 - /etc/httpd/conf.d/foo.conf 2009 Oct 20 17:08:05,2 - /etc/httpd/conf.d/foo.conf 2009 Oct 20 17:31:05,3 - /etc/httpd/conf.d/foo.conf Changes for 2009 Oct 21: 2009 Oct 21 09:45:17,0 - /etc/resolv.conf 2009 Oct 21 11:58:12,0 - /etc/resolv.conf But it /does/ show up if I do a database dump on the agent from the WUI. Am I using syscheck_control wrong, is there some reason a new file shouldn't show up there? -Alan
