Hi!
I'm having issues on Real Time detection and syscheck scan, look at
the time that syscheck took.
2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/09/11 11:46:57 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
time monitoring: '/srv/www/'.
2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
time monitoring: '/home/XXXXXX/'.
2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
time monitoring: '/home/YYYYYYY/'.
2013/09/11 11:46:57 ossec-syscheckd: INFO: Real time file monitoring started.
2013/09/11 11:46:57 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/09/11 11:47:09 ossec-syscheckd: INFO: Ending syscheck scan
(forwarding database).
2013/09/11 11:47:29 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_files
2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_trojans
Realtime monitoring is not working aswell, here is my agent ossec.conf:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>21600</frequency>
<scan_on_start>yes</scan_on_start>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories report_changes="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes"
check_all="yes">/srv/www,/home/XXXXXX,/home/YYYYYY/apache</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/ossec/queue</ignore>
<ignore>/var/ossec/logs</ignore>
<ignore>/var/ossec/stats</ignore>
<ignore>/var/ossec/var</ignore>
<ignore>/home/YYYYYYYY/apache/logs</ignore>
</syscheck>
The weird thing is, i had it working on others servers.
The syscheck didnt even create all the queues:
# ls /var/ossec/queue/diff/local/
etc
# du -hsc /var/ossec/queue/diff/local/*
608K /var/ossec/queue/diff/local/etc
608K total
I've got no idea why the syscheck is kind of jumping the scan, I
checked the conf files and it seems ok!
Am i missing anything?
Regards,
Stephan
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
