Thanks for your help guys. You are right Brett, the alert.log has all the info. The issue I have is with Splunk, everything gets sent via syslog and the event is as I pasted above. For the alert.log here's what I get :
*** Alert 1428518183.14013429: - syslog,sshd,recon,* *--* *Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.'* *ossec: agentless: Change detected:* *1404c1404* *< ntp clock-period 22519145* *---* *> ntp clock-period 22519163* *2806a2807* *> Connection to x.x.x.x closed by remote host.* That script doesn't give me any problem , it seems to work fine. Although I should probably change something so it doesn't alert me for the NTP change. May I ask what command you are running ? Thanks, Gaetan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
