Hello,
I have a few hundred ossec 2.7.1 agents running on a mix of CentOS 4,
5 and 6 boxen that have the syscheck frequency value configured at 7200,
here is a snippet from the agent ossec.conf:
<!-- Frequency that syscheck is executed, in seconds, default every 2
hours -->
<frequency>7200</frequency>
I have disabled rootcheck due to cpu issues on some of my boxen:
<rootcheck>
<disabled>yes</disabled>
I noticed that I am receiving alerts for file changes approx 20 hours after
the file is actually changed so I looked on the agent
/var/ossec/logs/ossec.log and it appears that syscheckd is not running
every 2 hours:
*snippet of ossec.log from the agent in question:*
2014/10/28 13:41:28 ossec-syscheckd: INFO: Starting syscheck scan.
2014/10/28 14:05:45 ossec-syscheckd: WARN: Error opening directory:
'/etc/init.d/tomcat': No such file or directory
2014/10/28 14:06:09 ossec-syscheckd: INFO: Ending syscheck scan.
2014/10/29 12:11:09 ossec-syscheckd: INFO: Starting syscheck scan.
2014/10/29 12:35:28 ossec-syscheckd: WARN: Error opening directory:
'/etc/init.d/tomcat': No such file or directory
2014/10/29 12:35:52 ossec-syscheckd: INFO: Ending syscheck scan.
2014/10/30 10:40:52 ossec-syscheckd: INFO: Starting syscheck scan.
2014/10/30 11:05:10 ossec-syscheckd: WARN: Error opening directory:
'/etc/init.d/tomcat': No such file or directory
2014/10/30 11:05:34 ossec-syscheckd: INFO: Ending syscheck scan.
I ran ossec-syscheckd in debug mode and captured this:
2014/10/30 16:36:41 ossec-config(1756): ERROR: Duplicated directory given:
'/etc'.
2014/10/30 16:36:41 ossec-config(1756): ERROR: Duplicated directory given:
'/bin'.
2014/10/30 16:36:41 ossec-rootcheck: DEBUG: Starting ...
2014/10/30 16:36:41 ossec-rootcheck: Rootcheck disabled. Exiting.
2014/10/30 16:36:41 ossec-syscheckd: WARN: Rootcheck module disabled.
2014/10/30 16:36:47 ossec-syscheckd: INFO: (unix_domain) Maximum send
buffer set to: '229376'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Started (pid: 25245).
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2014/10/30 16:36:47 ossec-syscheckd: INFO: Monitoring directory:
'/var/ossec'.
2014/10/30 16:37:01 ossec-syscheckd: Setting SCHED_BATCH returned: 0
2014/10/30 16:38:41 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2014/10/30 16:38:41 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2014/10/30 17:01:17 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2014/10/30 17:01:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
I see this on all of my agents so am worried I have missed something or
have a misconfiguration, any ideas?
-Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
