It works locally on the server itself, but not on remote agents. Any help would be greatly appreciated.
On Monday, July 14, 2014 6:29:04 PM UTC-7, Steven Ho wrote: > > Hi, > > > > I’ve just installed ossec 2.7.1 and am trying to get Ossec to send the > actual contents of what changed in a file. Here’s what my ossec.conf looks > like for the syscheck section. report_changes="yes" has been included > already. Am I doing anything wrong? Currently it only shows the checksum > changing: > > > > *51* > > *Level:* > > *7 - **Integrity checksum changed.* > > *Rule Id:* > > 550 <http://www.ossec.net/doc/search.html?q=rule-id-550> > > *Location:* > > (SNAv2.dev.i.spireon.com) 192.168.40.165->syscheck > > Integrity checksum changed for: '/etc/group' > Size changed from '909' to '915' > Old md5sum was: '907cffdef99913c1fede06e557535594' > New md5sum is : '5f35bae53e79dcc2c1601c849bddd2a3' > Old sha1sum was: 'a992bae3a822f036a7637b3af24c8c1921a5b7bb' > New sha1sum is : '3a6b75af8013169aff06fca37377b3830d5b201b > > > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > > <frequency>3600</frequency> > > <scan_on_start>yes</scan_on_start> > > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > > <directories realtime="yes" report_changes="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > > > <!-- Windows files to ignore --> > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > <ignore>C:\WINDOWS/Debug</ignore> > > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > > <ignore>C:\WINDOWS/iis6.log</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > > <ignore>C:\WINDOWS/Prefetch</ignore> > > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > > <ignore>C:\WINDOWS/Temp</ignore> > > <ignore>C:\WINDOWS/system32/config</ignore> > > <ignore>C:\WINDOWS/system32/spool</ignore> > > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > > </syscheck> > > > > Thanks, > > Steven > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
