On Tue, Feb 14, 2012 at 8:54 PM, Macus <[email protected]> wrote: > I am using OSSEC 2.6 server + agents on Centos 5.3 64bits. I have a > issue about the Integrity checksum changed alert delayed over 1 day. > For example, I modified a file in a machine last Fri, but the OSSEC > server alert me the integrity change this Wed. I have setup the server > and agent to do syscheck at 20:00 everyday. > Why the checksum change alert delayed so long?? >
The dates of the logs don't match the dates (I'm guessing) you're talking about. When did the syscheck scan finish? How long after that did the alert fire? Do you have the log all option enabled? If so, when did the information get passed to the manager from the agent? > > Server config: > <ossec_config> > <global> > <alerts> > <email_alert_level>8</email_alert_level> > <log_alert_level>1</log_alert_level> > </alerts> > <reports> > <category>syscheck</category> > <title>OSSEC Daily Report: File Integrity Check Result</title> > <email_to>[email protected]</email_to> > <showlogs>yes</showlogs> > </reports> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 > hours --> > <!-- <frequency>72000</frequency> --> > <scan_time>20:00</scan_time> > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> > <scan_on_start>no</scan_on_start> > > <!-- Directories to check (perform all possible verifications) -- >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > > <!-- Files/directories to ignore --> > <ignore>/etc/prelink.cache</ignore> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > </global> > </ossec_config> > > > Agent config > <agent_config> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 > hours --> > <!-- <frequency>72000</frequency> --> > <scan_time>20:00</scan_time> > <alert_new_files>yes</alert_new_files> > <scan_on_start>no</scan_on_start> > > <!-- Directories to check (perform all possible verifications) -- >> > <directories check_all="yes" report_changes="yes">/home/user/ > programA</directories> > <directories check_all="yes" report_changes="yes">/home/user/ > programB</directories> > </syscheck> > </agent_config> > > Server Logs: > 012/02/12 20:00:31 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/02/12 20:26:50 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/02/13 00:00:24 ossec-monitord: INFO: Starting daily reporting for > 'OSSEC Daily Report: File Integrity Check Result' > 2012/02/13 00:00:30 ossec-monitord: INFO: Report 'OSSEC Daily Report: > File Integrity Check Result' completed. Creating output... > 2012/02/13 20:01:51 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/02/13 20:29:22 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/02/14 00:00:55 ossec-monitord: INFO: Starting daily reporting for > 'OSSEC Daily Report: File Integrity Check Result' > 2012/02/14 00:01:02 ossec-monitord: INFO: Report 'OSSEC Daily Report: > File Integrity Check Result' completed. Creating output... > 2012/02/14 20:04:22 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/02/14 20:30:58 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/02/15 00:01:35 ossec-monitord: INFO: Starting daily reporting for > 'OSSEC Daily Report: File Integrity Check Result' > 2012/02/15 00:01:43 ossec-monitord: INFO: Report 'OSSEC Daily Report: > File Integrity Check Result' completed. Creating output... > > > Agent Logs: > 2012/02/13 20:04:19 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/02/13 21:10:10 ossec-agentd: INFO: Event count after '20000': > 3409487->3024784 (88%) > 2012/02/13 22:39:01 ossec-syscheckd: WARN: Error opening directory: '/ > home/user/programB': No such file or directory > 2012/02/13 22:39:25 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/02/14 11:10:24 ossec-agentd: INFO: Event count after '20000': > 3379049->3028584 (89%) > 2012/02/14 20:04:25 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/02/14 21:10:34 ossec-agentd: INFO: Event count after '20000': > 3404780->3021480 (88%) > 2012/02/14 22:39:10 ossec-syscheckd: WARN: Error opening directory: '/ > home/user/programB': No such file or directory > 2012/02/14 22:39:34 ossec-syscheckd: INFO: Ending syscheck scan. > > > > >
