Hi, I find my OSSEC server keeps "reporting" a file is changed. I checked that file check sum and timestamp and it has nothing change, as far as I can tell.
When I try to see what is going on inside the file "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I find there are 2 entries related to the same object. The first line below should be created first with a "+++" at the beginning of that line. Somehow, when OSSEC server reports there is a change, it create the last line. Can anyone explain what is the meaning of "+++" & "!++" and what is the meaning of "!132863#281" and "!1330029335"? [root@myossec_svr syscheck]# cat "(ossec_client) 172.30.XX.XXX ->syscheck" +++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !132863#281 /opt/syslog-ng/conf/syslog-ng.conf !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf Regards, Marcos
