*ON https://github.com/ossec/ossec-hids/releases* *Server / Agent 2.8* *Change log* *Disable /var/ossec/queue/diff/*state.$epoch files, they were not used. pull: by reyjrar*
*HOW to enadle /var/ossec/queue/diff/*state.$epoch files in ossec 2.8* среда, 11 февраля 2015 г., 16:44:05 UTC+3 пользователь dan (ddpbsd) написал: > > On Wed, Feb 11, 2015 at 8:19 AM, alex petrov <allrea...@gmail.com > <javascript:>> wrote: > > used to be so > > > > What used to what? > > Are you sure the values OSSEC is receiving are changing? > > Check the permissions on the queue/diff directories. > > > test:/var/ossec/queue/diff/test/533# ls -l > > total 756 > > -rwxr-x--- 1 ossec ossec 2703 Feb 11 12:22 last-entry > > -rwxr-x--- 1 ossec ossec 2882 Sep 26 14:46 state.1411728392 > > -rwxr-x--- 1 ossec ossec 1211 Sep 29 08:04 state.1411963489 > > -rwxr-x--- 1 ossec ossec 1559 Sep 29 08:05 state.1411963522 > > -rwxr-x--- 1 ossec ossec 1915 Sep 29 08:05 state.1411963539 > > -rwxr-x--- 1 ossec ossec 2093 Sep 29 08:06 state.1411963594 > > -rwxr-x--- 1 ossec ossec 2182 Sep 29 08:07 state.1411963663 > > -rwxr-x--- 1 ossec ossec 2526 Sep 29 08:08 state.1411963693 > > -rwxr-x--- 1 ossec ossec 2704 Sep 29 15:11 state.1411989085 > > -rwxr-x--- 1 ossec ossec 1211 Sep 30 08:08 state.1412050121 > > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:08 state.1412050130 > > -rwxr-x--- 1 ossec ossec 2182 Sep 30 08:10 state.1412050259 > > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:11 state.1412050279 > > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:12 state.1412050322 > > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:16 state.1412050582 > > -rwxr-x--- 1 ossec ossec 2271 Sep 30 08:18 state.1412050680 > > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:18 state.1412050707 > > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:18 state.1412050724 > > -rwxr-x--- 1 ossec ossec 1826 Sep 30 08:30 state.1412051419 > > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:31 state.1412051484 > > -rwxr-x--- 1 ossec ossec 2271 Sep 30 08:32 state.1412051570 > > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:33 state.1412051598 > > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:33 state.1412051632 > > -rwxr-x--- 1 ossec ossec 2882 Sep 30 15:18 state.1412075929 > > > > now only 'Feb 11 12:22 last-entry' > > > > WHY? > > > > вторник, 10 февраля 2015 г., 16:57:28 UTC+3 пользователь dan (ddpbsd) > > написал: > >> > >> On Tue, Feb 10, 2015 at 8:43 AM, alex petrov <allrea...@gmail.com> > wrote: > >> > help me please > >> > > >> > >> Make sure there are changes between runs? Maybe increase the frequency > >> (10 is very small)? > >> > >> I don't really have any ideas of what to look at, and I don't have any > >> systems to test this on. > >> > >> > понедельник, 9 февраля 2015 г., 16:53:37 UTC+3 пользователь dan > (ddpbsd) > >> > написал: > >> >> > >> >> On Mon, Feb 9, 2015 at 8:13 AM, alex petrov <allrea...@gmail.com> > >> >> wrote: > >> >> > <rule id="700086" level="7"> > >> >> > <if_sid>530</if_sid> > >> >> > <match>ossec: output: 'for /f "tokens=3*"</match> > >> >> > <check_diff /> > >> >> > <description>new soft install</description> > >> >> > </rule> > >> >> > > >> >> > > >> >> > <localfile> > >> >> > <log_format>full_command</log_format> > >> >> > <frequency>10</frequency> > >> >> > <command>for /f "tokens=3*" %a in ('reg query > >> >> > "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s ^| > find > >> >> > /i > >> >> > "DisplayName"') do @echo %a%b</command> > >> >> > </localfile> > >> >> > > >> >> > > >> >> > but is only a single file in the directory > /var/ossec/queue/diff/tes > >> >> > /700086/ only one file 'last-entry' , not what it Compare the. How > to > >> >> > get > >> >> > files like "state.1412050724" for example. > >> >> > > >> >> > >> >> Looks like I was confused, I was thinking syscheck. Sorry about > that. > >> >> > >> >> Does the last-entry file contain the current output from the > command? > >> >> > >> >> > >> >> > понедельник, 9 февраля 2015 г., 16:08:11 UTC+3 пользователь dan > >> >> > (ddpbsd) > >> >> > написал: > >> >> >> > >> >> >> On Mon, Feb 9, 2015 at 6:07 AM, alex petrov <allrea...@gmail.com> > > >> >> >> wrote: > >> >> >> > Help please. Why when I use the chesk_diff I have created in > the > >> >> >> > directory > >> >> >> > /var/ossec/queue/diff/tes /700086/ only one file 'last-entry' > >> >> >> > instead > >> >> >> > of > >> >> >> > multiple files with changes. > >> >> >> > > >> >> >> > >> >> >> Are all of these files text files? > >> >> >> Has a syscheck scan been run since they were changed? > >> >> >> > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.