On Sep 23, 2015 9:23 AM, "James DeLeon" <[email protected]> wrote: >> >> Has it ever worked? > > > Yes, I used to get the messages only when I had restarted the OSSEC on the agent after a file change, but it's no longer working. (After no changes to any of the configuration files or network.) > >> >> Is syscheckd running on the agent? > > Yes, and it always starts up when I restart the agent (which was my first troubleshooting step.) > >> Is the file in >> the syscheck db on the manager (/var/ossec/queue/syscheck)? If so, are >> the checksums up to date? > > > It does show up 4 times, but 3 of them are commented out. The most recent one (or at least the one that appears latest in the file) is commented out. Here's a snippet: >
Have you turned off autoignore? By default ossec ignores a file if it's been edited 3 times already. > #++1749:33188:0:0:439100a44982f07288618e3bb780dea6:9e029603a1ad0e4c68eb83d071b74b426a1fdd3f !1442421895 /etc/haproxy/haproxy.cfg > > !++2976:33056:0:24135:2a4506614a4fd11f678a8e3a5e7ab0d9:883b30c5982ce6d0b7e77c7ad78d3d9646bb9d54 !1442425342 /var/ossec/etc/ossec.conf > > #!+1736:33188:0:0:3266bbef7ac389696db130218af90921:e991dcc5e2a3f57dd1230898010247f4ec94b1ac !1442425447 /etc/haproxy/haproxy.cfg > > !!!1856:33188:0:0:002179d7de0cb6b3b1551ab472c986c4:b548dd42e45e6dc55a0e661a66097e4c32ee56ba !1442426715 /etc/haproxy/haproxy.cfg > > The current MD5 sum does not appear in the file at all. (It is changed from it's original form from when syscheck first did it's full scan.) > >> Is there an alert in the alerts.log? > > > Not for editing the file, no. I'd have multitail running on alerts.log as I edited the file to see if anything would come through (as when it did work it came through instantly), and nothing would appear. Of course when it did work there was a log entry, but it's not now. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
