On Thu, Oct 6, 2016 at 11:06 AM, Yousif Johny <[email protected]> wrote: > I just see under Queue/agentless/ a file created for the host. In the file > it says "syscheck". > > I just made a change to a file in the monitored host (passwd) which is part > of those that should be checked, and I didn't see a difference in the file. > > It seems I'm missing something. > > How do you suggest I go about monitoring this? >
You have a frequency of 36000 seconds. Perhaps a rescan hasn't been scheduled yet? I can see a file in /var/ossec/queue/syscheck for the scan # ls syscheck/ (ssh_integrity_check_linux) [email protected]>syscheck This file is populated with the contents of /bin (I copied your configuration for this test instance). It looks like it's updating the same way the others do. > Do you think the one you're using could be better for some reason for my > purpose? > I don't know what problem you're solving by using the agentless support, so I can't say. > Thank you. > > On Thursday, October 6, 2016 at 3:31:27 PM UTC+1, Yousif Johny wrote: >> >> Dear mates, >> >> I'd really appreciate your help with the issue I'm having, trying to get >> an Agentless monitoring working. >> >> I installed OSSEC in CentOS, and I'm trying to monitor a linux host using >> the ssh_integrity_check_linux script. >> >> I tested the script manually as follows: >> ./ssh_integrity_check_linux [email protected] /bin >> >> And it seems to work, as it printed the hashes of files under /bin, and at >> the end it said "Finished" >> >> I put the below in ossec.conf below <ossec_config> >> >> <agentless> >> <type>ssh_integrity_check_linux</type> >> <frequency>36000</frequency> >> <host>[email protected]</host> >> <state>periodic</state> >> <arguments>/bin</arguments> >> </agentless> >> >> >> When I restart OSSEC, I see the below in the ossec.log >> 2016/10/06 07:18:46 ossec-agentlessd: ERROR: Test failed for >> 'ssh_integrity_check_linux' (1). Ignoring. >> >> >> Any idea why this is happening? >> >> Thank you. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
