On Thu, Aug 12, 2010 at 9:12 AM, ItsMikeE <[email protected]> wrote: > I am running OSSEC version 2.4.1 on RHEL installed in the default /var/ > ossec directory > > In my ossec.conf and agent.conf files I am monitoring ossec itself > <directories check_all="yes">/var/ossec/bin</directories> > <directories check_all="yes">/var/ossec/etc</directories> > <directories check_perm="yes" check_owner="yes" check_group="yes">/ > var/ossec</directories> > > For both the server and the agents I am getting integrity checksum > alerts such that various files are having their size changed to 0, and > then subsequently back. > > This not only happens on files I might expect to change (such as /var/ > ossec/etc/shared/agent.conf) on an agent, but others I would not > expect to change such as /var/ossec/bin/ossec-syscheckd on both the > master and on agents. > > Obviously I want to be informed if these files have changed, but in > most cases they are changing from an initial size, down to zero and > then back to the initial size, producing 2 alerts for no actual > change. > > Can anyone suggest why this is happening and if there is a > workaround? >
I'm monitoring my ossec directories (/var/ossec/bin,/var/ossec/etc,/var/ossec/rules) and am not seeing this problem. Any interesting entries in ossec.log? Maybe try running syscheck in debug (ossec-syscheckd -d) mode.
