Hello, I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz + ./install.sh I choose the local install since it has to run on 1 server ( a VPS). I have noticed after 3 days that <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> has never run when syscheck and rootcheck has run. I see a lot of : ######### 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. #########
and never received one alert for the PHP checks (expose_php = On). Also via the ossec-wui I can not find anything about this. It seems it does not check the policies. How can I trigger the syscheck/rootcheck to check the system for policies? Michiel