On Thu, Sep 27, 2012 at 11:24 AM, Michiel van Es <vanesmich...@gmail.com> wrote: > > > 2012/9/27 Michiel van Es <vanesmich...@gmail.com> >> >> >> >> 2012/9/27 dan (ddp) <ddp...@gmail.com> >> >>> On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es <vanesmich...@gmail.com> >>> wrote: >>> > >>> > >>> > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het >>> > volgende: >>> >> >>> >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es <vanesm...@gmail.com> >>> >> wrote: >>> >> > Hello, >>> >> > >>> >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the >>> >> > tar.gz + >>> >> > ./install.sh >>> >> > I choose the local install since it has to run on 1 server ( a VPS). >>> >> > I have noticed after 3 days that >>> >> > >>> >> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>> >> > has >>> >> > never run when syscheck and rootcheck has run. >>> >> > I see a lot of : >>> >> > ######### >>> >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... >>> >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... >>> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan >>> >> > (forwarding database). >>> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck >>> >> > database >>> >> > (pre-scan). >>> >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating >>> >> > syscheck >>> >> > database (pre-scan completed). >>> >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan >>> >> > (forwarding >>> >> > database). >>> >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. >>> >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. >>> >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >> > ######### >>> >> > >>> >> > and never received one alert for the PHP checks (expose_php = On). >>> >> > Also via the ossec-wui I can not find anything about this. >>> >> > It seems it does not check the policies. >>> >> > >>> >> > How can I trigger the syscheck/rootcheck to check the system for >>> >> > policies? >>> >> > >>> >> > Michiel >>> >> >>> >> >>I think if you run everything in debug mode it provides more >>> >> >>information on what is being checked. >>> > >>> > >>> > Ok will check, can I force a root/syscheck so I can check the >>> > /var/ossec/log/ossec.log log file ? >>> >>> >>Restart OSSEC? Restart ossec-syscheckd? >> >> >>Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i >> >> local, but it is never emailed to me. >> >>I will see if I can let it alert when it runs. >> >> >>Thx. > > Stupid question but /var/ossec/bin/rootcheck_control -i local shows System > Audit entries but these entries are never in alert.log and are never > emailed. > > On a setup with a manager and agents this works perfectly and emails just > fine but on a local (1 box) install I never receive alerts. > Am I overlooking things?
No idea, I don't use rootcheck. Hopefully someone with rootcheck experience can chime in. Have you compared the configurations between the local system and the server/agent install?