Also of note: no difference between pre-compiled binaries installed from custom RPM package and package manually compiled on server.
On Thursday, November 15, 2012 9:36:48 AM UTC-6, mcrane0 wrote: > > It's worth noting that this is only occurring in our Linux environment. > The AIX agents are correctly reporting diffs with file integrity alerts. > Both AIX and Linux syscheck directives have the same contents on > client/server. > > Is there any way to debug this? I've set syscheck debug level to 2 on > client and see no change in logging. It's very frustrating as a.) the > alert is triggering and, b.) the diff is appearing in > /var/ossec/queue/diff/local/etc/<file>, but it's not being reported with > the alert. > > On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote: >> >> Trying to include filesystem integrity alert diffs. >> >> Testing with /etc >> >> I have verified that both ossec.conf on server and >> /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc. >> /var/ossec/queue/diff/local/etc/fstab folder includes the diff file on >> the client. >> >> The alert triggers, but the diff is not included with the alert. Is >> there some other hidden setting I need to look for? Does ossec.conf on the >> server need to match agent.conf on the client? >> >>
