Just as an update to this, I've done some additional testing and checking on my full debugged log. I've figured out that the numbers in the line that was sent to the server is file size:New MD5sum:New Sha1sum
I've also figured out that since I deleted it, it sends that exact same line during every check that I force from the server side. I'm going to wait and see if it shows up in the next automated syscheck as well, but what I think this indicates is that the Agent can tell that the file has "changed" but since it can't verify the size, MD5, and SHA1 value of a file that is not there, it just sends back the last value it had for it. Either that or it can somehow still see the file, even though it's been deleted. I'm going to look into the idea that volume shadowing is on just in case, but if someone has a suggestion, I'd still appreciate it. On Wednesday, January 30, 2013 1:03:02 PM UTC-5, [email protected] wrote: > > I'm running Ossec 2.7 on a Centos 5.9 server. I have a Windows Agent on a > Windows 2008 R2 Server. I can get it to report changes to files and new > files, but I am unable to get it to report deleted files. > > To test, I created a test directory under the folder I monitor and created > some random test files. It logs the creation, then I alter them, which it > also logs, but when I remove one of them, I don't get a log. > > I turned Debugging on, and repeated this process, and after I deleted, I > sent a syscheck request to the agent from the server, and the below entry > did show up, so it is clearly sending something back to the server, but I'm > not sure how to proceed with the troubleshoot from here. > > 2013/01/30 12:35:07 ossec-agent: DEBUG: Sending message to server: > '31:33206:0:0:9b143fd3618a6732ff7ce88ca79e8ebb:2d6a596cc25a5f7e9ec8678085126505c44c1ca4 > > E:\Indexes/test/test2.txt' > > I've seen this has been a problem for others but I've not seen > a definitive answer, so if someone knows the solution, or if you can point > me towards the next steps in trouble shooting I'd appreciate it. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
