On Wed, Nov 27, 2013 at 2:25 PM, dan (ddp) <[email protected]> wrote: > On Wed, Nov 27, 2013 at 9:16 AM, C. L. Martinez <[email protected]> wrote: >> On Wed, Nov 27, 2013 at 1:35 PM, dan (ddp) <[email protected]> wrote: >>> On Wed, Nov 27, 2013 at 2:03 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Ok, only works if I put the following entry under syscheck section: >>>> >>>> <directories report_changes="yes" realtime="yes" >>>> check_all="yes">/etc,/var/ossec/etc/shared</directories> >>>> >>> >>> Where else would you put it? >> >> Only in the agent.conf .. >> > > But still in the syscheck section... >
Yes, but if it is not under syscheck section, it doesn't works ... >>> >>>> but for freebsd agents it doesn't works because freebsd doesn't >>>> supports inotify ... >>>> >>> >>> Is /var/ossec/etc/shared defined in the FreeBSD config at all? >> >> Yes. >> >> Does agent.conf show up in the syscheck db for that agent (`grep agent.conf >> /var/ossec/queue/syscheck/agent_syscheck_db`)? >> >> agent_syscheck_db doesn't exists in my agents ... >> > > That is correct. I thought you would be able lo look it up without > explicit instructions, but apparently not. Sorry, but I understand you that I need to check agent side ... > > The syscheck database files are still only stored on the server, NEVER > THE AGENTS. > The format will be something like the following: > (AGENT-ID) AGENT-IP->syscheck > > So, check for agent.conf in the file (ON THE SERVER) > /var/ossec/queue/syscheck/(AGENT-ID) AGENT-IP->syscheck > > REPLACING AGENT-ID AND AGENT-IP WITH THE APPROPRIATE VALUES FOR AN > AGENT THAT IS NOT WORKING PROPERLY. > > If the current file is listed (the md5 is the 5th or 6th field in the > entry, delimited by ":"), clear the database and force a syscheck run > on the agent. Determine whether this file is then relisted in the > database file. Ok, I will try it .. > >>> Are any syscheck rules firing for your freebsd systems? >>> >> >> Yes, for example for any file modified under /etc directory ... >> > > What are the differences between the <directories> entry that lists > /etc and the one that lists /var/ossec/etc/shared? None. Both are in the same line entry under syscheck section ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
