ok, I feel dumb. I've described the problem incorrectly. I was looking at the wrong test file. I redid the entire process, and now I'm seeing that after the file deletes, it no longer shows up on the syscheck again. Here are the steps I took to test.
1) Restart Agent and let it run the initial syscheck 2) After Syscheck is done, delete the file 3) Restart the Agent again and let it run initial syscheck again 4) Force Syscheck from the Server It does not show after 3 or 4. I'm going to test skipping step 3 and do a force syscheck after deleting the file and see if it is logged at all. If not, then it looks like the Agent isn't even reporting that the file is no longer there. On Wednesday, January 30, 2013 1:03:02 PM UTC-5, jtu...@rdx.com wrote: > > I'm running Ossec 2.7 on a Centos 5.9 server. I have a Windows Agent on a > Windows 2008 R2 Server. I can get it to report changes to files and new > files, but I am unable to get it to report deleted files. > > To test, I created a test directory under the folder I monitor and created > some random test files. It logs the creation, then I alter them, which it > also logs, but when I remove one of them, I don't get a log. > > I turned Debugging on, and repeated this process, and after I deleted, I > sent a syscheck request to the agent from the server, and the below entry > did show up, so it is clearly sending something back to the server, but I'm > not sure how to proceed with the troubleshoot from here. > > 2013/01/30 12:35:07 ossec-agent: DEBUG: Sending message to server: > '31:33206:0:0:9b143fd3618a6732ff7ce88ca79e8ebb:2d6a596cc25a5f7e9ec8678085126505c44c1ca4 > > E:\Indexes/test/test2.txt' > > I've seen this has been a problem for others but I've not seen > a definitive answer, so if someone knows the solution, or if you can point > me towards the next steps in trouble shooting I'd appreciate it. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
