I am running ossec 2.6 on Centos 5.3. I schedule a integrity check on servers every 8pm everyday. We made a change on the /etc/passwd on May. But the ossec report the change on July.
** Alert 1374147215.4305437: - ossec,syscheck, 2013 Jul 18 20:33:35 (abc) 172.31.157.26->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/etc/passwd' Size changed from '1885' to '1886' Old md5sum was: '4f44d2ed0aece41fec18ead89ebab384' New md5sum is : 'f50f15e9a541d1d60a9cdec6a0bc6ac4' Old sha1sum was: 'af29f7247b968a6c5dadf8673cd7b57854ba2604' New sha1sum is : '42e00da4da20e3ced4340401ad072757c8bfbc6d' The log seems fine every day on the server, and the ossec server was restarted at 1:00 am every day, so the server was not reached around 1:00. 2013/07/18 20:01:58 ossec-rootcheck: INFO: Starting rootcheck scan. 2013/07/18 20:26:27 ossec-rootcheck: INFO: Ending rootcheck scan. 2013/07/18 20:27:07 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2013/07/18 20:27:07 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2013/07/18 20:57:23 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2013/07/18 20:57:37 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2013/07/18 20:58:41 ossec-syscheckd: INFO: Ending syscheck scan. 2013/07/19 01:00:03 ossec-agentd(1218): ERROR: Unable to send message to server. 2013/07/19 01:00:04 ossec-agentd(1218): ERROR: Unable to send message to server. 2013/07/19 01:00:05 ossec-agentd(1218): ERROR: Unable to send message to server. 2013/07/19 01:00:19 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2013/07/19 01:00:19 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2013/07/19 01:00:19 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2013/07/19 01:00:19 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning... 2013/07/19 01:00:19 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2013/07/19 01:00:19 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2013/07/19 01:00:19 ossec-execd: INFO: Started (pid: 25828). Anyone know what's the possible issue caused this? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
