I'll have to try and reproduce this. I don't remember having trouble with it in the past, but I haven't tested recently.
On Fri, Apr 29, 2011 at 4:08 PM, Aaron Bliss <[email protected]> wrote: > Thanks for the follow up. Yes, the file is in the agents database on > the manager. > > Aaron > > On Fri, Apr 29, 2011 at 4:00 PM, dan (ddp) <[email protected]> wrote: >> Check to see if the file is listed in the syscheck database for that agent. >> /var/ossec/queue/syscheck/something->something on the manager >> >> No idea why this doesn't work for you though. >> >> On Fri, Apr 29, 2011 at 11:56 AM, Aaron Bliss <[email protected]> wrote: >>> Hi all, >>> I've enabled the syscheck option to look for new files as documented here: >>> >>> http://www.ossec.net/wiki/Know_How:Syscheck >>> >>> New files are detected and alerted upon on the ossec server, but don't >>> seem to be on agents. I've verified that the clients are monitoring >>> the directories that I'm placing test files into by confirming that >>> the directory is listed when checking the ossec.log on the client, as >>> well as by receiving alerts on changed files in the directory that I'm >>> testing (in this case, /etc). Both the agent and server are redhat 5 >>> boxes, both are running v2.5.1 of ossec. I've also ensured that >>> syscheck has ran on the client since creating the test files. Any >>> ideas on how to further troubleshoot this? Thanks. >>> >>> Aaron >>> >> >
