On Wed, Nov 27, 2013 at 9:16 AM, C. L. Martinez <[email protected]> wrote: > On Wed, Nov 27, 2013 at 1:35 PM, dan (ddp) <[email protected]> wrote: >> On Wed, Nov 27, 2013 at 2:03 AM, C. L. Martinez <[email protected]> wrote: >>> Ok, only works if I put the following entry under syscheck section: >>> >>> <directories report_changes="yes" realtime="yes" >>> check_all="yes">/etc,/var/ossec/etc/shared</directories> >>> >> >> Where else would you put it? > > Only in the agent.conf .. >
But still in the syscheck section... >> >>> but for freebsd agents it doesn't works because freebsd doesn't >>> supports inotify ... >>> >> >> Is /var/ossec/etc/shared defined in the FreeBSD config at all? > > Yes. > > Does agent.conf show up in the syscheck db for that agent (`grep agent.conf > /var/ossec/queue/syscheck/agent_syscheck_db`)? > > agent_syscheck_db doesn't exists in my agents ... > That is correct. I thought you would be able lo look it up without explicit instructions, but apparently not. The syscheck database files are still only stored on the server, NEVER THE AGENTS. The format will be something like the following: (AGENT-ID) AGENT-IP->syscheck So, check for agent.conf in the file (ON THE SERVER) /var/ossec/queue/syscheck/(AGENT-ID) AGENT-IP->syscheck REPLACING AGENT-ID AND AGENT-IP WITH THE APPROPRIATE VALUES FOR AN AGENT THAT IS NOT WORKING PROPERLY. If the current file is listed (the md5 is the 5th or 6th field in the entry, delimited by ":"), clear the database and force a syscheck run on the agent. Determine whether this file is then relisted in the database file. > root@agent02:~ # ls -la /var/ossec/queue/syscheck/agent_syscheck_db > ls: /var/ossec/queue/syscheck/agent_syscheck_db: No such file or directory > > root@agent02:~ # ls -la /var/ossec/queue/syscheck/ > total 4 > dr-xr-x--- 2 root ossec 512 Nov 22 08:39 . > dr-xr-x--- 7 root ossec 512 Nov 22 08:39 .. >> >> Are any syscheck rules firing for your freebsd systems? >> > > Yes, for example for any file modified under /etc directory ... > What are the differences between the <directories> entry that lists /etc and the one that lists /var/ossec/etc/shared? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
