> > Was the file already in the syscheck database? > Yes.
> Did a syscheck scan run after you modified the file? > I don't know. That's the issue I'm confused about. How can I tell? > The FAQ says that in order to run a system check you use the command: > > > > # /var/ossec/bin/agent_control -r -a > > > > > > which runs it for all agents. I don't have any agents, and that command > > gives me: > > > > # ./agent_control -r -a > > 2014/10/10 23:15:44 agent_control(1210): ERROR: Queue '/queue/alerts/ar' > not > > accessible: 'Connection refused'. > > 2014/10/10 23:15:44 agent_control(1301): ERROR: Unable to connect to > active > > response queue. > > > > ** Unable to connect to remoted. > > > > Is this likely relevant to my problem? > > > > If you don't have any agents, why would you run something called > "agent_control?" > Because the FAQ says that's the thing to do! It doesn't make complete sense to me either, but running "agent_control" on the server, lists, under available agents, agent ID "000" as "Active/Local". It appears there's an agent of sorts running there so using "agent_control" kinda makes sense. If "agent_control" isn't the answer, what is? What will trigger syscheck to go and have a look at the monitored directories to see if any have been changed? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.