On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es <[email protected]> wrote: > Hello, > > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz + > ./install.sh > I choose the local install since it has to run on 1 server ( a VPS). > I have noticed after 3 days that > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> has > never run when syscheck and rootcheck has run. > I see a lot of : > ######### > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. > ######### > > and never received one alert for the PHP checks (expose_php = On). > Also via the ossec-wui I can not find anything about this. > It seems it does not check the policies. > > How can I trigger the syscheck/rootcheck to check the system for policies? > > Michiel
I think if you run everything in debug mode it provides more information on what is being checked.
