I was able to narrow this down to a specific agent, but couldn't find a root cause. The work around for me was to re-add the agent with a new agent name on the ossec server. After doing so new file alerts started working. Let me know if there is any additional testing I can do in order to determine if this is a new bug.
Aaron On Tue, May 3, 2011 at 1:53 PM, dan (ddp) <[email protected]> wrote: > I'll have to try and reproduce this. I don't remember having trouble > with it in the past, but I haven't tested recently. > > On Fri, Apr 29, 2011 at 4:08 PM, Aaron Bliss <[email protected]> wrote: >> Thanks for the follow up. Yes, the file is in the agents database on >> the manager. >> >> Aaron >> >> On Fri, Apr 29, 2011 at 4:00 PM, dan (ddp) <[email protected]> wrote: >>> Check to see if the file is listed in the syscheck database for that agent. >>> /var/ossec/queue/syscheck/something->something on the manager >>> >>> No idea why this doesn't work for you though. >>> >>> On Fri, Apr 29, 2011 at 11:56 AM, Aaron Bliss <[email protected]> wrote: >>>> Hi all, >>>> I've enabled the syscheck option to look for new files as documented here: >>>> >>>> http://www.ossec.net/wiki/Know_How:Syscheck >>>> >>>> New files are detected and alerted upon on the ossec server, but don't >>>> seem to be on agents. I've verified that the clients are monitoring >>>> the directories that I'm placing test files into by confirming that >>>> the directory is listed when checking the ossec.log on the client, as >>>> well as by receiving alerts on changed files in the directory that I'm >>>> testing (in this case, /etc). Both the agent and server are redhat 5 >>>> boxes, both are running v2.5.1 of ossec. I've also ensured that >>>> syscheck has ran on the client since creating the test files. Any >>>> ideas on how to further troubleshoot this? Thanks. >>>> >>>> Aaron >>>> >>> >> >
