Hi OSSEC users and Dan
High-level background of my current setup: - Several OSSEC servers are running on Solaris - OSSEC agents are running on Solaris and reporting to the above OSSEC servers - Running /opt/ossec/bin/agent_control -lc shows the agents are connecting to the server - File integrity check is enabled and several configuration files are being monitored. One of the files being monitored is "syslog-ng.conf" My problem: Recently I find more than one OSSEC servers detect changes on this syslog-ng.conf file (this file is installed on all OSSEC clients). However, when I run the below command, it doesn't tell me what exactly is changed. I have also checked the file integrity myself and I also don't see anything wrong. ************************* Output from the OSSEC server ************************* [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f /opt/syslog-ng/conf/syslog-ng.conf Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': Detailed information for entries matching: '/opt/syslog-ng/conf/syslog-ng.conf' 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf File changed. [root@myserver ~]# ************************* Output from the OSSEC agent ************************* root@myagent% pwd /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf root@spewgp2c35% ls -arlt total 8 -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry drwxrwx--- 3 root other 512 Jun 28 2011 .. drwxrwx--- 2 root other 512 Jun 28 2011 . root@myagent% My questions: Why there is no integrity change detected but OSSEC servers report the file is changed? Regards, Marcos
