I'm trying to replicate this too. The agent it still monitoring the directory, but the DEBUG logs do not show any record of the file being deleted. The server only reports the file being added to the DB.
On Wednesday, January 30, 2013 10:20:28 PM UTC-5, [email protected] wrote: > > ok, I feel dumb. I've described the problem incorrectly. I was looking > at the wrong test file. I redid the entire process, and now I'm seeing > that after the file deletes, it no longer shows up on the syscheck again. > Here are the steps I took to test. > > 1) Restart Agent and let it run the initial syscheck > 2) After Syscheck is done, delete the file > 3) Restart the Agent again and let it run initial syscheck again > 4) Force Syscheck from the Server > > It does not show after 3 or 4. > > I'm going to test skipping step 3 and do a force syscheck after deleting > the file and see if it is logged at all. > > If not, then it looks like the Agent isn't even reporting that the file is > no longer there. > > On Wednesday, January 30, 2013 1:03:02 PM UTC-5, [email protected] wrote: >> >> I'm running Ossec 2.7 on a Centos 5.9 server. I have a Windows Agent on >> a Windows 2008 R2 Server. I can get it to report changes to files and new >> files, but I am unable to get it to report deleted files. >> >> To test, I created a test directory under the folder I monitor and >> created some random test files. It logs the creation, then I alter them, >> which it also logs, but when I remove one of them, I don't get a log. >> >> I turned Debugging on, and repeated this process, and after I deleted, I >> sent a syscheck request to the agent from the server, and the below entry >> did show up, so it is clearly sending something back to the server, but I'm >> not sure how to proceed with the troubleshoot from here. >> >> 2013/01/30 12:35:07 ossec-agent: DEBUG: Sending message to server: >> '31:33206:0:0:9b143fd3618a6732ff7ce88ca79e8ebb:2d6a596cc25a5f7e9ec8678085126505c44c1ca4 >> >> E:\Indexes/test/test2.txt' >> >> I've seen this has been a problem for others but I've not seen >> a definitive answer, so if someone knows the solution, or if you can point >> me towards the next steps in trouble shooting I'd appreciate it. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
