Aha, replying to self... It worked. There's no clue it's found something from the ossec-syscheck stdout, even when you run it in foreground with -vv. I'd spent an hour wading through the code trying to see what it was doing, when the alerts log suddenly popped up a message about one of the files I'd changed. So it is working, even if I'm not yet in proper control of it. :)
Thanks for the help. On Thursday, 23 October 2014 07:55:03 UTC+1, de...@scratters.com wrote: > > Was the file already in the syscheck database? >> > > Yes. > > >> Did a syscheck scan run after you modified the file? >> > > I don't know. That's the issue I'm confused about. How can I tell? > > > The FAQ says that in order to run a system check you use the command: > >> > >> > # /var/ossec/bin/agent_control -r -a >> > >> > >> > which runs it for all agents. I don't have any agents, and that command >> > gives me: >> > >> > # ./agent_control -r -a >> > 2014/10/10 23:15:44 agent_control(1210): ERROR: Queue >> '/queue/alerts/ar' not >> > accessible: 'Connection refused'. >> > 2014/10/10 23:15:44 agent_control(1301): ERROR: Unable to connect to >> active >> > response queue. >> > >> > ** Unable to connect to remoted. >> > >> > Is this likely relevant to my problem? >> > >> >> If you don't have any agents, why would you run something called >> "agent_control?" >> > > Because the FAQ says that's the thing to do! It doesn't make complete > sense to me either, but running "agent_control" on the server, lists, under > available agents, agent ID "000" as "Active/Local". It appears there's an > agent of sorts running there so using "agent_control" kinda makes sense. > > If "agent_control" isn't the answer, what is? What will trigger syscheck > to go and have a look at the monitored directories to see if any have been > changed? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.