2012/9/27 dan (ddp) <[email protected]> > On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es <[email protected]> > wrote: > > > > > > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het > > volgende: > >> > >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es <[email protected]> > >> wrote: > >> > Hello, > >> > > >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the > tar.gz + > >> > ./install.sh > >> > I choose the local install since it has to run on 1 server ( a VPS). > >> > I have noticed after 3 days that > >> > > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > >> > has > >> > never run when syscheck and rootcheck has run. > >> > I see a lot of : > >> > ######### > >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... > >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... > >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database > >> > (pre-scan). > >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck > >> > database (pre-scan completed). > >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan > >> > (forwarding > >> > database). > >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. > >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. > >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. > >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. > >> > ######### > >> > > >> > and never received one alert for the PHP checks (expose_php = On). > >> > Also via the ossec-wui I can not find anything about this. > >> > It seems it does not check the policies. > >> > > >> > How can I trigger the syscheck/rootcheck to check the system for > >> > policies? > >> > > >> > Michiel > >> > >> >>I think if you run everything in debug mode it provides more > >> >>information on what is being checked. > > > > > > Ok will check, can I force a root/syscheck so I can check the > > /var/ossec/log/ossec.log log file ? > > >>Restart OSSEC? Restart ossec-syscheckd? > Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i local, but it is never emailed to me. I will see if I can let it alert when it runs.
Thx.
