On Tue, Oct 28, 2014 at 1:50 PM, Andrew Martin <[email protected]> wrote: > Okay, thanks for the clarification. Is there a point at which old entries > are then purged from the file (or do they remain in there forever)? >
I believe they remain there forever, but I haven't looked at the code. > On 28 October 2014 08:47, dan (ddp) <[email protected]> wrote: >> >> On Tue, Oct 28, 2014 at 9:42 AM, Andrew Martin >> <[email protected]> wrote: >> > I am also interested in this topic. If I am understanding it correctly, >> > each >> > time OSSEC scans a client, it essentially creates a list of metadata for >> > each matching file (including filesize, modification time, md5sum, >> > sha1sum, >> > filename, etc). From what I can see, this data is stored in >> > /var/ossec/queue/syscheck/<hostname> and the format is documented here: >> > http://marc.info/?l=ossec-list&m=135842957311803&w=2 >> > >> > What happens with each subsequent scan? I would guess that OSSEC keeps >> > at >> > least the previous scan around and then diffs it with the most recent >> > scan >> > to see which files have been modified. If so, where is each subsequent >> > scan >> > stored on the OSSEC manager server? For example, is it something like >> > this: >> > >> >> Nope. New or updated entries are added to the file. Old entries are >> commented out. >> >> > /var/ossec/queue/syscheck/<hostname> (most recent scan) >> > /var/ossec/queue/syscheck/<hostname>.1 (scan from 6 hours ago) >> > /var/ossec/queue/syscheck/<hostname>.2 (scan from 12 hours ago) >> > >> > >> > Thanks! >> > >> > On Monday, 27 October 2014 09:23:29 UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Fri, Oct 24, 2014 at 5:27 PM, Kyle Hopfensperger >> >> <[email protected]> wrote: >> >> > Hello, >> >> > >> >> > I just created an OSSEC server (14.04) and have it running on a few >> >> > test >> >> > machines, both Linux and Windows. I'm wondering where it is storing >> >> > the >> >> > information? I have it setup to use mysql but the tables seem to be >> >> > empty, >> >> >> >> There's an alerts (data?) table, I think. Is that one empty? >> >> >> >> > yet the ossec-wui shows data when I search. >> >> > >> >> >> >> In the past the WUI has used the text logfiles in /var/ossec/logs to >> >> populate the pages. I don't think this has changed. >> >> >> >> > >> >> > Thanks for the help >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/UxHoFxw7tqM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
