It does show in the database dump, like I mentioned. But it really should show in syscheck_control as well -- after all, someone did /modify/ my system. -Alan
ddp wrote: > Not if that's for modified only. ;) > Another flag or command to dump the db for that agent may be useful. > > Try creating a file and checking for it in > /var/ossec/queue/syscheck/\(NAME\)\ IP_ADDRESS-\>syscheck > I think that's the db for syscheck. I meant to look at the wui to see > how it parsed those files, but I haven't gotten around to it yet. > > On Thu, Oct 22, 2009 at 4:48 PM, Alan Sparks <[email protected]> wrote: > >> After modification, yes, it does show up in the syscheck_control >> output. Unfortunately, that would presume the creator did me a favor >> and modified it afterward :-) >> Shouldn't new files show up in the listing? >> -Alan >> >> ddp wrote: >> >>> It looks like the -i option for syscheck_control only prints out modified >>> files. >>> If you modify the file and do a new syscheck scan (or let inotify pick >>> it up), does >>> the file show up using syscheck_control? >>> >>> On Wed, Oct 21, 2009 at 4:31 PM, Alan Sparks <[email protected]> >>> wrote: >>> >>> >>>> Have a 2.2 server and client set up on CentOS 5.3. Have made >>>> modifications for new file alerts, but something seems wrong. >>>> >>>> Created a new file, and received an alert for the new file: >>>> >>>> Received From: (db02) 192.168.1.30->syscheck >>>> Rule: 554 fired (level 7) -> "File added to the system." >>>> >>>> But the file does not show up in a syscheck_control run for the agent: >>>> >>>> # /var/ossec/bin/syscheck_control -i 001 >>>> >>>> Integrity changes for agent 'db02 (001) - 192.168.1.30': >>>> >>>> Changes for 2009 Oct 20: >>>> 2009 Oct 20 16:48:48,0 - /etc/httpd/conf.d/foo.conf >>>> 2009 Oct 20 16:58:21,0 - /etc/httpd/conf.d/foo.conf >>>> 2009 Oct 20 17:08:05,2 - /etc/httpd/conf.d/foo.conf >>>> 2009 Oct 20 17:31:05,3 - /etc/httpd/conf.d/foo.conf >>>> >>>> Changes for 2009 Oct 21: >>>> 2009 Oct 21 09:45:17,0 - /etc/resolv.conf >>>> 2009 Oct 21 11:58:12,0 - /etc/resolv.conf >>>> >>>> >>>> But it /does/ show up if I do a database dump on the agent from the WUI. >>>> >>>> Am I using syscheck_control wrong, is there some reason a new file >>>> shouldn't show up there? >>>> -Alan >>>> >>>> >>>> >>>> >>
