I checked the alerts log and the hashes are not there. There are however longer entries than these (f.e. registry keys) that include hashes.
I will, for now, assume that the hash is not computed as the file changes too often and will observe if other (standard) files report hashes correctly. Thanks for your help dan. On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp) <[email protected]> wrote: > On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka <[email protected]> wrote: > > Hi, > > > > I managed to get the samples. In manager syscheck queue I found the > > following: > > > > > #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > > !1421093166 C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > > > #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > > !1421129146 C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > > > #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > > !1421165040 C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > > > !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 > > !1421201008 C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel > > > > And in logs: > > > > Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity > > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity > > checksum changed for: 'C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > > > > Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity > > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity > > checksum changed for: 'C:\Program Files/Microsoft SQL > > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' > > > > > > I just realized that the .xel file seems to be a log file and may change > > often - may this be the cause? > > > > The hashes are there in the syscheck db, but not in your syslog > messages. I'm guessing that adding the hashes makes the messages too > long so they were trimmed. You can check the alerts.log file for the > original alerts to see if the hashes are there. > > > Thanks, > > MK > > > > On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka <[email protected]> > wrote: > >> > Hi, > >> > > >> > we have Ossec server/agents (2.7.0) for monitoring file integrity. > Both > >> > include check_all="yes" in their syscheck configurations. The agents > >> > work > >> > perfectly and report file changes including their old/current MD5 and > >> > SHA1 > >> > hashes. However, logs from the Ossec server machine report only file > >> > changes, but don't include the hashes. > >> > > >> > Did any of you encounter this issue? How should I debug it? > >> > > >> > >> > >> Can you show us an example? > >> Do the hashes exist in the syscheck db for the manager? > >> > >> > Thanks > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/RVTdJCErFSo/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
