On 09/02/2014 03:42 PM, Bonnie Beeler wrote: > Yes, they all have the same time, Windows and Linux. I'm not sure what > you mean by "I assumed you knew what you were doing when you posted" I > have been into ossec for all of 1 week with my new job, so I don't know > a whole lot about it, other than to install pair to the server, run > individual syschecks and the basic commands listed on the site on the > Linux side. However, I am primarily a windows person and would love > to get the time stamp showing the file change date\time if possible. I > will check the source code to see what I can find on how to pull this > info. So, you are saying it is a simple change to get this info? I > don't want to get too deep into it if it takes a whole lot of work as > this would just help me a bit and isn't completely a necessity.
It's quite possible that the time shown for the change is ahead of the time of the actual change. OSSEC doesn't trust the file attributes since they could have been modified by the attacker. For scheduled syscheck scans, I would expect the time to be as much as 22 hours after the file actually changed; for real-time, it should be very close (within a second or two). When you say report, do you mean ossec-reportd or in the alert? For simplicity's sake, let's focus on the alert. Are you using real-time? If not, is the changed time in the alert within 22 hours of the actual file change? Oh, and are you running 2.8? There have been some syscheck-related bugs fixed. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
