On Fri, Feb 3, 2012 at 1:15 AM, Marcos Tang <[email protected]> wrote: > Hi Dan, > > Refer to my previous email, I have the following findings. > >> ************************* >> Output from the OSSEC server >> ************************* >> >> [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f >> /opt/syslog-ng/conf/syslog-ng.conf >> >> Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': >> Detailed information for entries matching: >> '/opt/syslog-ng/conf/syslog-ng.conf' >> >> 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf >> >> 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf >> File changed. [root@myserver ~]# >> >> >> ************************* >> Output from the OSSEC agent >> ************************* >> >> root@myagent% pwd >> /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf >> root@myagent% ls -arlt >> total 8 >> -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry >> drwxrwx--- 3 root other 512 Jun 28 2011 .. >> drwxrwx--- 2 root other 512 Jun 28 2011 . >> root@myagent% > > The syscheck_control output just lists this file only. In general, the > syscheck_control output is different as it will tell us whether it is a > checksum, permission, file size change. Now, it just lists the file out > without any explanation. >
Oops, I meant to ask: Is there an alert associated with this? Sorry about the confusion. > On the other hands, I login to the OSSEC client and I can't find any records > about a new file is detected. From my personal understanding, if a file is > changed, a file "diff.XXXXXX" would be generated under the > /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf. But I can't > find this file. > gmail is acting funny, I can't see the syscheck configuration that includes this file. If the report_changes option is set to yes then there should be some activity in /var/ossec/queue/diff. If it isn't set, then there shouldn't be. > Thanks & Regards, > Marcos
