I am also interested in this topic. If I am understanding it correctly, each time OSSEC scans a client, it essentially creates a list of metadata for each matching file (including filesize, modification time, md5sum, sha1sum, filename, etc). From what I can see, this data is stored in /var/ossec/queue/syscheck/<hostname> and the format is documented here: http://marc.info/?l=ossec-list&m=135842957311803&w=2
What happens with each subsequent scan? I would guess that OSSEC keeps at least the previous scan around and then diffs it with the most recent scan to see which files have been modified. If so, where is each subsequent scan stored on the OSSEC manager server? For example, is it something like this: - /var/ossec/queue/syscheck/<hostname> (most recent scan) - /var/ossec/queue/syscheck/<hostname>.1 (scan from 6 hours ago) - /var/ossec/queue/syscheck/<hostname>.2 (scan from 12 hours ago) Thanks! On Monday, 27 October 2014 09:23:29 UTC-5, dan (ddpbsd) wrote: > > On Fri, Oct 24, 2014 at 5:27 PM, Kyle Hopfensperger > <[email protected] <javascript:>> wrote: > > Hello, > > > > I just created an OSSEC server (14.04) and have it running on a few test > > machines, both Linux and Windows. I'm wondering where it is storing the > > information? I have it setup to use mysql but the tables seem to be > empty, > > There's an alerts (data?) table, I think. Is that one empty? > > > yet the ossec-wui shows data when I search. > > > > In the past the WUI has used the text logfiles in /var/ossec/logs to > populate the pages. I don't think this has changed. > > > > > Thanks for the help > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
