On Wed, May 19, 2010 at 8:51 AM, Adi CHIRU <[email protected]> wrote: > First, I stoped ossec daemons, emptied those files manually and start ossec > daemons. Everything went find until a restarted ossec when that errors > started to appear again. > > After this I stopped ossec, deleted the files completely and started ossec. > The files were created and again, the errors in logs only appeared after I > restarted ossec (usually because I change the configuration files). > > It seems that a solution would be to clear the database (those files in > /var/ossec/queue/syscheck/ directory before each [re]start) but I am not sure > that this would also be a good idea. > >
I'm stumped. Have you tried running the appropriate daemons in debug mode (-d I think) to see if there are some more verbose logs that might help? Are you getting log messages on the agent side as well as the server? > And one more question, if I may: > > Where can I find details about the logic in alerting behaviour of ossec? I am > interested in an answear about what ossec does after an event of new file or > deleted file or modified ownership on a file was found and an alert was > issued; does ossec keep sending that alert each time it detects the event or > after first detection the database is updated and so the next run will not > detec the same event again? > > Thanks, > Adi > > > Under the default configuration, I think ossec alerts up to 3 times for modifications to a file. After that it ignores the changes until you clear them from the database.
