Just set up auto ignore, and restarted OSSEC on both the manager and client and this is now working properly.
Two questions regarding auto_ignore, though: 1. If it's left on, how long does OSSEC ignore the file? I had been testing this for just under 2 weeks, and edited the file more than 3 times during that time period. 2. Is it possible to stop auto_ignore on only specific files, or is it an all or nothing kind of thing? I know we can ignore certain files completely, just wondering if auto_ignore is granular. Thanks so much. On Wednesday, September 23, 2015 at 8:25:23 AM UTC-5, dan (ddpbsd) wrote: > > > On Sep 23, 2015 9:23 AM, "James DeLeon" <[email protected] > <javascript:>> wrote: > >> > >> Has it ever worked? > > > > > > Yes, I used to get the messages only when I had restarted the OSSEC on > the agent after a file change, but it's no longer working. (After no > changes to any of the configuration files or network.) > > > >> > >> Is syscheckd running on the agent? > > > > Yes, and it always starts up when I restart the agent (which was my > first troubleshooting step.) > > > >> Is the file in > >> the syscheck db on the manager (/var/ossec/queue/syscheck)? If so, are > >> the checksums up to date? > > > > > > It does show up 4 times, but 3 of them are commented out. The most > recent one (or at least the one that appears latest in the file) is > commented out. Here's a snippet: > > > > Have you turned off autoignore? By default ossec ignores a file if it's > been edited 3 times already. > > > > #++1749:33188:0:0:439100a44982f07288618e3bb780dea6:9e029603a1ad0e4c68eb83d071b74b426a1fdd3f > > !1442421895 /etc/haproxy/haproxy.cfg > > > > > !++2976:33056:0:24135:2a4506614a4fd11f678a8e3a5e7ab0d9:883b30c5982ce6d0b7e77c7ad78d3d9646bb9d54 > > !1442425342 /var/ossec/etc/ossec.conf > > > > > #!+1736:33188:0:0:3266bbef7ac389696db130218af90921:e991dcc5e2a3f57dd1230898010247f4ec94b1ac > > !1442425447 /etc/haproxy/haproxy.cfg > > > > > !!!1856:33188:0:0:002179d7de0cb6b3b1551ab472c986c4:b548dd42e45e6dc55a0e661a66097e4c32ee56ba > > !1442426715 /etc/haproxy/haproxy.cfg > > > > The current MD5 sum does not appear in the file at all. (It is changed > from it's original form from when syscheck first did it's full scan.) > > > >> Is there an alert in the alerts.log? > > > > > > Not for editing the file, no. I'd have multitail running on alerts.log > as I edited the file to see if anything would come through (as when it did > work it came through instantly), and nothing would appear. Of course when > it did work there was a log entry, but it's not now. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
