OSSEC running on Debian (2.6.31.6 kernel) on a 64 bit env. I have noticed a similar problem on RHEL 5 also. Though the error is different. (Size goes into negative values)
On Wed, Apr 11, 2012 at 9:15 AM, dan (ddp) <[email protected]> wrote: > What OS? > > On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes > <[email protected]> wrote: > > Hi, > > > > Has anyone noticed a bug when running syscheck with large files (> 2 GB)? > > > > I created a test file of 750 MB and ran syscheck. The file was added > > correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck > > > > > +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > > !1334071299 /var/log/remote/large-file.log > > > > I then appended logs to the file to create a 3GB file > > -rw-r----- 1 root root 3021794472 Apr 10 11:35 large-file.log > > > > I ran syscheck again and then noticed a weird alert > > > > ** Alert 1334072743.333516: mail - ossec,syscheck, > > 2012 Apr 10 11:45:43 cbvmalv01->syscheck > > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > > Src IP: (none) > > User: (none) > > File '/var/log/remote/large-file.log' was deleted. Unable to retrieve > > checksum. > > > > The file has not been deleted and is still present in the directory. > > > > Additionally, I see that the syscheck DB shows the file as deleted, but > with > > a new entry showing the same file with 1 change. > > > > > #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > > !1334071299 /var/log/remote/large-file.log > > > !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 > > !1334072743 /var/log/remote/large-file.log > > > > Also, the file size is wrong (1273172824 instead of 3021794472) > > > > Has anyone else noticed this? Is there a workaround or a fix? > > > > Regards, > > Chris > > > > >
