Hi, 1. I think you are checking the wrong folder - queue/diff is used to store the files where using 'report_changes' mode (full diff reporting) The syscheck db folder is at queue/syscheck
2. If this is a new installation - then it takes ossec some time to start triggering some events (~1 day / 2 successful full scans while not restating the agent) 3. Describe exactly what not working in relatime - how did you test that? for what kind of event? For example new file added are never discovered in realtime. -Roy On Wednesday, September 11, 2013 7:59:51 AM UTC-7, Stephan Gomes Higuti wrote: > > Hi! > > I'm having issues on Real Time detection and syscheck scan, look at > the time that syscheck took. > > 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/11 11:46:57 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > time monitoring: '/srv/www/'. > 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > time monitoring: '/home/XXXXXX/'. > 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real > time monitoring: '/home/YYYYYYY/'. > 2013/09/11 11:46:57 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/09/11 11:46:57 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/09/11 11:47:09 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2013/09/11 11:47:29 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_files > 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_trojans > > > Realtime monitoring is not working aswell, here is my agent ossec.conf: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>21600</frequency> > > <scan_on_start>yes</scan_on_start> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <!-- Directories to check (perform all possible verifications) --> > <directories report_changes="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" > check_all="yes">/bin,/sbin</directories> > <directories realtime="yes" > check_all="yes">/srv/www,/home/XXXXXX,/home/YYYYYY/apache</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > <ignore>/var/ossec/queue</ignore> > <ignore>/var/ossec/logs</ignore> > <ignore>/var/ossec/stats</ignore> > <ignore>/var/ossec/var</ignore> > <ignore>/home/YYYYYYYY/apache/logs</ignore> > > </syscheck> > > > The weird thing is, i had it working on others servers. > The syscheck didnt even create all the queues: > > # ls /var/ossec/queue/diff/local/ > etc > > > # du -hsc /var/ossec/queue/diff/local/* > 608K /var/ossec/queue/diff/local/etc > 608K total > > > I've got no idea why the syscheck is kind of jumping the scan, I > checked the conf files and it seems ok! > Am i missing anything? > > > Regards, > > > Stephan > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
