Hello list, I have the following situation which drives me nuts.I'll probably end up to a mental institution. I am editing two files to validate OSSEC's alerting : 1) /etc/hosts and 2) /etc/passwd on a certain host .
Every time I get an alert for /etc/passwd but not /etc/hosts . Ok I say, lets try another system maybe this one has issues. On the other system I get an alert for /etc/hosts but not /etc/ passwd !!!! (How's the nuthouse sounding?) . Ossec.conf is default configuration, like <directories check_all="yes">/etc</directories> I guess there is something in the OSSEC server , I'll try to clear the databases for all agents by running #syscheck_control -u all with the hope that I get a "clean" start again Any other suggestions how to troubleshoot such situation ? Thank you
