This is not just happening on files under /var/ossec. I am getting alerts on various files which go from size xyz to 0, then a second alert as they go from 0 to xyz.
On Aug 12, 2:12 pm, ItsMikeE <[email protected]> wrote: > I am running OSSEC version 2.4.1 on RHEL installed in the default /var/ > ossec directory > > In my ossec.conf and agent.conf files I am monitoring ossec itself > <directories check_all="yes">/var/ossec/bin</directories> > <directories check_all="yes">/var/ossec/etc</directories> > <directories check_perm="yes" check_owner="yes" check_group="yes">/ > var/ossec</directories> > > For both the server and the agents I am getting integrity checksum > alerts such that various files are having their size changed to 0, and > then subsequently back. > > This not only happens on files I might expect to change (such as /var/ > ossec/etc/shared/agent.conf) on an agent, but others I would not > expect to change such as /var/ossec/bin/ossec-syscheckd on both the > master and on agents. > > Obviously I want to be informed if these files have changed, but in > most cases they are changing from an initial size, down to zero and > then back to the initial size, producing 2 alerts for no actual > change. > > Can anyone suggest why this is happening and if there is a > workaround?
