On Mon, Jan 30, 2012 at 11:13 PM, Macus <[email protected]> wrote: > I have disabled the auto_ignore function like below. > <syscheck> > <scan_time>20:00</scan_time> > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore>
Did you set this on the manager? I think it's a manager only option. > <scan_on_start>no</scan_on_start> > .... > </syscheck> > > after I execute the "syscheck_control -i 032", it output > > .... > > Changes for 2012 Jan 27: > 2012 Jan 27 20:03:14,3 - /etc/passwd > 2012 Jan 27 20:03:51,3 - /etc/passwd- > .... > Changes for 2012 Jan 30: > > I did change the /etc/passwd on 28 Jan, 2012 . Why it didn't report > the md5 change by the ossec server ?? > > ossec log in the agent. > 2012/01/28 10:52:02 ossec-agentd: INFO: Event count after '20000': > 3390610->3033624 (89%) > 2012/01/28 20:03:20 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/01/28 22:38:17 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/01/29 20:03:17 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/01/29 22:38:17 ossec-syscheckd: INFO: Ending syscheck scan. > 2012/01/30 00:25:03 ossec-agentd: INFO: Event count after '20000': > 3361708->3050336 (90%) > 2012/01/30 16:33:05 ossec-agentd: INFO: Event count after '20000': > 3374167->3023424 (89%) > 2012/01/30 20:03:17 ossec-syscheckd: INFO: Starting syscheck scan. > 2012/01/30 22:38:21 ossec-syscheckd: INFO: Ending syscheck scan. > > > > > On 1月30日, 下午11時39分, "dan (ddp)" <[email protected]> wrote: >> On Mon, Jan 30, 2012 at 5:02 AM, Macus <[email protected]> wrote: >> > in the OSSEC Wiki, it states auto_ignore , Specifies if syscheck will >> > ignore files that change too often (after the third change). >> >> > I am using OSSEC 2.6 on Centos 5.3 64bit >> > What's the mechanism of the auto ignore for a file that change too >> > often? Does it ignore the file after the third change? How to check if >> > a file is already ignored? >> >> If you don't turn off auto ignore, changes after the third will not be >> tracked. >> The only way I know of to see how many times it's changed is to count >> the number of entries in the syscheck db: >> `./syscheck_control -i 001 | grep ossec.conf | wc -l` >> >> >> >> >> >> >> >> > I found a file was changed, but it was not reported by the OSSEC. I >> > guest the file file was ignored automatically.
