I figured out what the problem is - OSSEC gets the file size and stores it in an 'int'. For large files > 2GB, the value in the int overflow into a negative range. When ossec sees a negative value for size, it assumes that the file has been deleted.
So I guess the fix would be to change the variable holding the size to a long instead of an int. On Wed, Apr 11, 2012 at 10:40 AM, Christopher Moraes <[email protected]>wrote: > OSSEC running on Debian (2.6.31.6 kernel) on a 64 bit env. > > I have noticed a similar problem on RHEL 5 also. Though the error is > different. (Size goes into negative values) > > > On Wed, Apr 11, 2012 at 9:15 AM, dan (ddp) <[email protected]> wrote: > >> What OS? >> >> On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes >> <[email protected]> wrote: >> > Hi, >> > >> > Has anyone noticed a bug when running syscheck with large files (> 2 >> GB)? >> > >> > I created a test file of 750 MB and ran syscheck. The file was added >> > correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck >> > >> > >> +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b >> > !1334071299 /var/log/remote/large-file.log >> > >> > I then appended logs to the file to create a 3GB file >> > -rw-r----- 1 root root 3021794472 Apr 10 11:35 large-file.log >> > >> > I ran syscheck again and then noticed a weird alert >> > >> > ** Alert 1334072743.333516: mail - ossec,syscheck, >> > 2012 Apr 10 11:45:43 cbvmalv01->syscheck >> > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' >> > Src IP: (none) >> > User: (none) >> > File '/var/log/remote/large-file.log' was deleted. Unable to retrieve >> > checksum. >> > >> > The file has not been deleted and is still present in the directory. >> > >> > Additionally, I see that the syscheck DB shows the file as deleted, but >> with >> > a new entry showing the same file with 1 change. >> > >> > >> #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b >> > !1334071299 /var/log/remote/large-file.log >> > >> !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 >> > !1334072743 /var/log/remote/large-file.log >> > >> > Also, the file size is wrong (1273172824 instead of 3021794472) >> > >> > Has anyone else noticed this? Is there a workaround or a fix? >> > >> > Regards, >> > Chris >> > >> > >> > >
