2012/9/27 Michiel van Es <[email protected]> > > > 2012/9/27 dan (ddp) <[email protected]> > > On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es <[email protected]> >> wrote: >> > >> > >> > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het >> > volgende: >> >> >> >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es <[email protected]> >> >> wrote: >> >> > Hello, >> >> > >> >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the >> tar.gz + >> >> > ./install.sh >> >> > I choose the local install since it has to run on 1 server ( a VPS). >> >> > I have noticed after 3 days that >> >> > >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> > has >> >> > never run when syscheck and rootcheck has run. >> >> > I see a lot of : >> >> > ######### >> >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... >> >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... >> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan >> >> > (forwarding database). >> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database >> >> > (pre-scan). >> >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck >> >> > database (pre-scan completed). >> >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan >> >> > (forwarding >> >> > database). >> >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > ######### >> >> > >> >> > and never received one alert for the PHP checks (expose_php = On). >> >> > Also via the ossec-wui I can not find anything about this. >> >> > It seems it does not check the policies. >> >> > >> >> > How can I trigger the syscheck/rootcheck to check the system for >> >> > policies? >> >> > >> >> > Michiel >> >> >> >> >>I think if you run everything in debug mode it provides more >> >> >>information on what is being checked. >> > >> > >> > Ok will check, can I force a root/syscheck so I can check the >> > /var/ossec/log/ossec.log log file ? >> >> >>Restart OSSEC? Restart ossec-syscheckd? >> > >>Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i > local, but it is never emailed to me. > >>I will see if I can let it alert when it runs. > > >>Thx. > Stupid question but /var/ossec/bin/rootcheck_control -i local shows System Audit entries but these entries are never in alert.log and are never emailed.
On a setup with a manager and agents this works perfectly and emails just fine but on a local (1 box) install I never receive alerts. Am I overlooking things?
