Hi Dan, Refer to my previous email, I have the following findings.
> ************************* > Output from the OSSEC server > ************************* > > [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f > /opt/syslog-ng/conf/syslog-ng.conf > > Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': > Detailed information for entries matching: > '/opt/syslog-ng/conf/syslog-ng.conf' > > 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf > > 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf > File changed. [root@myserver ~]# > > > ************************* > Output from the OSSEC agent > ************************* > > root@myagent% pwd > /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf > root@myagent% ls -arlt > total 8 > -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry > drwxrwx--- 3 root other 512 Jun 28 2011 .. > drwxrwx--- 2 root other 512 Jun 28 2011 . > root@myagent% The syscheck_control output just lists this file only. In general, the syscheck_control output is different as it will tell us whether it is a checksum, permission, file size change. Now, it just lists the file out without any explanation. On the other hands, I login to the OSSEC client and I can't find any records about a new file is detected. From my personal understanding, if a file is changed, a file "diff.XXXXXX" would be generated under the /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf. But I can't find this file. Thanks & Regards, Marcos
