It's worth noting that this is only occurring in our Linux environment. The AIX agents are correctly reporting diffs with file integrity alerts. Both AIX and Linux syscheck directives have the same contents on client/server.
Is there any way to debug this? I've set syscheck debug level to 2 on client and see no change in logging. It's very frustrating as a.) the alert is triggering and, b.) the diff is appearing in /var/ossec/queue/diff/local/etc/<file>, but it's not being reported with the alert. On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote: > > Trying to include filesystem integrity alert diffs. > > Testing with /etc > > I have verified that both ossec.conf on server and > /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc. > /var/ossec/queue/diff/local/etc/fstab folder includes the diff file on the > client. > > The alert triggers, but the diff is not included with the alert. Is there > some other hidden setting I need to look for? Does ossec.conf on the > server need to match agent.conf on the client? > >
