Hi, Has anyone noticed a bug when running syscheck with large files (> 2 GB)?
I created a test file of 750 MB and ran syscheck. The file was added correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b !1334071299 /var/log/remote/large-file.log I then appended logs to the file to create a 3GB file -rw-r----- 1 root root 3021794472 Apr 10 11:35 large-file.log I ran syscheck again and then noticed a weird alert ** Alert 1334072743.333516: mail - ossec,syscheck, 2012 Apr 10 11:45:43 cbvmalv01->syscheck Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' Src IP: (none) User: (none) File '/var/log/remote/large-file.log' was deleted. Unable to retrieve checksum. The file has not been deleted and is still present in the directory. Additionally, I see that the syscheck DB shows the file as deleted, but with a new entry showing the same file with 1 change. #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b !1334071299 /var/log/remote/large-file.log !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 !1334072743 /var/log/remote/large-file.log Also, the file size is wrong (1273172824 instead of 3021794472) Has anyone else noticed this? Is there a workaround or a fix? Regards, Chris
