Hi Dan, Thanks and please share the meaning of those fields with me, when you have a chance to see the source code.
Also thanks for your suggestion and I am going to remove the line having "#" and keep the last one. Thanks & Regards, Marcos Regards, Marcos ________________________________ From: dan (ddp) <[email protected]> To: [email protected] Sent: Wednesday, February 29, 2012 7:03 PM Subject: Re: [ossec-list] Can anyone explain the syntax of the file "/opt/ossec/queue/syscheck"? On Wed, Feb 29, 2012 at 12:55 AM, Marcos Tang <[email protected]> wrote: > Hi, > > I find my OSSEC server keeps "reporting" a file is changed. I checked that > file check sum and timestamp and it has nothing change, as far as I can > tell. > > When I try to see what is going on inside the file > "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I > find there are 2 entries related to the same object. > > The first line below should be created first with a "+++" at the beginning > of that line. Somehow, when OSSEC server reports there is a change, it > create the last line. > > Can anyone explain what is the meaning of "+++" & "!++" and what is the I'd have to spend some time looking at the source, but I think it means the file has changed once. > meaning of "!132863#281" and "!1330029335"? > I think those are supposed to be timestamps, but the "#" shouldn't be there. I'd either delete that entry or clear the syscheck db and start over for that host. > [root@myossec_svr syscheck]# cat "(ossec_client) 172.30.XX.XXX ->syscheck" > +++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 > !132863#281 /opt/syslog-ng/conf/syslog-ng.conf > !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 > !1330029335 /opt/syslog-ng/conf/syslog-ng.conf > > Regards, > Marcos > >
