On Wed, Feb 1, 2012 at 4:56 AM, Marcos Tang <[email protected]> wrote: > Hi OSSEC users and Dan > > High-level background of my current setup: > > - Several OSSEC servers are running on Solaris > - OSSEC agents are running on Solaris and reporting to the above OSSEC > servers > - Running /opt/ossec/bin/agent_control -lc shows the agents are connecting > to the server > - File integrity check is enabled and several configuration files are being > monitored. One of the files being monitored is "syslog-ng.conf" > > My problem: > > Recently I find more than one OSSEC servers detect changes on this > syslog-ng.conf file (this file is installed on all OSSEC clients). However, > when I run the below command, it doesn't tell me what exactly is changed. I > have also checked the file integrity myself and I also don't see anything > wrong. > > ************************* > Output from the OSSEC server > ************************* > > [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f > /opt/syslog-ng/conf/syslog-ng.conf > > Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': > Detailed information for entries matching: > '/opt/syslog-ng/conf/syslog-ng.conf' > > 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf > > 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf > File changed. [root@myserver ~]# > > > ************************* > Output from the OSSEC agent > ************************* > > root@myagent% pwd > /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf > root@spewgp2c35% ls -arlt > total 8 > -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry > drwxrwx--- 3 root other 512 Jun 28 2011 .. > drwxrwx--- 2 root other 512 Jun 28 2011 . > root@myagent% > > > My questions: > > Why there is no integrity change detected but OSSEC servers report the file > is changed? > > Regards, Marcos
Is there an alert associated with this? Does it mention what seems to have changed (checksum, size, etc)?
