The issue was in my branch there. Mind getting the latest again? Should be working now:
https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz Sorry for the waste of time :/ thanks, On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey <[email protected]> wrote: > Thanks for the reply, Santiago. > > Here is what I am seeing. On agent: > > 2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory: > '/var/www/vhosts/'. > 2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/www/vhosts/'. > 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file > monitoring. > 2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan. > 2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan. > > On my server I'm watching this agent's syscheck queue: > > Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$' > > +++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0 > !1454017663 /usr/bin/php > > I've created a test.php file in /var/www/vhosts/test.com/httpdocs/test.php > as well as edited an existing PHP file in the same directory. > > Nothing changes, so I run from server: > > /var/ossec/bin/agent_control -r -u 001 > > OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001 > > Still the queue/syscheck file for this agent does not change. File size > is the same as well. Before this process I also ran: > > /var/ossec/bin/syscheck_control -u 001 and it emptied the file. But once > syscheck ran again, it was exactly the same size as it was before (334K), > which seems small. > > I'm running v2015-12 latest dev that Dan pushed a few days ago. I feel > like I'm missing something obvious... > > On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett wrote: >> >> Are you sure your config is not working? >> >> I just tested this and it works for me: >> >> <directories check_all="yes" >> restrict=".txt1|.txt2">/root</directories> >> >> I created three test files: >> >> root@vpc-ossec-manager:~# ls test.txt* >> >> test.txt1 test.txt2 test.txt3 >> >> And this is what I get in my syscheck file: >> >> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep >> test.txt >> >> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73 >> !1453933436 /root/test.txt1 >> >> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 >> !1453933436 /root/test.txt2 >> >> There is nothing for test.txt3 >> >> I am using 2.9 version (development branch) >> >> Best >> >> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey <[email protected]> >> wrote: >> >>> If I use: >>> >>> <directories check_all="yes" >>> restrict=".php|.js">/var/www/vhosts/</directories> >>> >>> syscheck logs no changes to any file. >>> >>> If I use: >>> >>> <directories check_all="yes">/var/www/vhosts/</directories> >>> >>> Works fine and logs changes to any file. >>> >>> Am I missing something when using the *restrict *option? >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
