Dan, Thank you for replying. No, the agent has been connected for the past 2 weeks and I've been letting them run. I wanted to validate the alerts that were coming over and I found that when I went to that server, the dates of these files went back quite a while ago. The agent tells us that the file was modified the day it alerted us, however, the date the file was created/modified on the server is still a couple years ago. I have also looked into anyone who is doing work on the server, and no one has touched these files.
On Jun 10, 12:52 pm, "dan (ddp)" <[email protected]> wrote: > Is it possible that agent hasn't been connected to the manager for a while? > I don't particularly trust the file dates on the agents. If someone is > messing around they can easily change those dates. > > > > On Wed, Jun 8, 2011 at 4:22 PM, Pat <[email protected]> wrote: > > Hello All, > > > I reviewed some of the OSSEC alerts that I am getting about integrity > > checksums as well as new file alerts and noticed that the dates on the > > files were from a couple years ago (for new file alerts. the > > integrity checksum one was a little less than a month ago). Is there > > any reason that it would be doing this? I am using realtime="yes", so > > I would assume that if I received an alert it was because the > > integrity checksum was changed sometime today, or if a new file was > > added it would have the date created/modified as of today. > > > Any thoughts? > > > Thanks in advance.
