Using the sycheck_control I am able to find changes like this: 112418531 Jul 01 0'N,0 - /bin/somefile File changed. - 1st time modified. Integrity checking values: Size: >11448 Perm: rwxr-xr-x Uid: 0 Gid: 0 Md5: >c5cd9f082926e07453ee01fb16122f10 Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b
However, I can't find a similar entry in any of the ../ossec/logs/ alerts/2011/July/ ... files. Should there be? I have Ossec setup to email our monitoring software, how would I go about verifying that the email alert was sent? Thanks, On Jul 27, 2:38 pm, Patrick <[email protected]> wrote: > Okay... I found part of my answer > ...http://www.ossec.net/doc/programs/syscheck_control.html#syscheck-control > > When I use the example: > /var/ossec/bin/syscheck_control -i 002 > I get a "Segmentation fault", probably due to the very old version > that I'm currently stuck on. > > On Jul 27, 1:45 pm, Patrick <[email protected]> wrote: > > > > > > > > > The files were changed and were causing issues, we had to move & > > rename the bad files so the checksums would no longer match the > > syscheck db (or am I wrong). > > On that, how do I find out what the syscheck db shows as what the md5 > > hash should be? > > If there is a 'how-to' already written, please forgive and just point > > me in the right direction. > > Thanks, > > Patrick > > > On Jul 27, 1:01 pm, "dan (ddp)" <[email protected]> wrote: > > > > Why do you suspect files have changed? > > > Does the current md5 or sha hash of the files match the entries in the > > > syscheck db? > > > > On Wed, Jul 27, 2011 at 1:34 PM, Patrick <[email protected]> wrote: > > > > How would I go about troubleshooting if I suspect that some files were > > > > changed and Ossec didn't alert on the change? > > > > I'm currently using Ossec 2.0. > > > > > The files were in the /bin on a Linux server. > > > > > Thanks, > > > > Patrick
