On Thu, Jan 15, 2015 at 4:39 AM, Martin Kvocka <[email protected]> wrote: > I checked the alerts log and the hashes are not there. There are however > longer entries than these (f.e. registry keys) that include hashes. >
Can you provide an example of an alert that does not include the hash? I've never seen that before. > I will, for now, assume that the hash is not computed as the file changes > too often and will observe if other (standard) files report hashes > correctly. > The examples from the syscheck db have hashes. The hashes are being computed. > Thanks for your help dan. > > On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka <[email protected]> wrote: >> > Hi, >> > >> > I managed to get the samples. In manager syscheck queue I found the >> > following: >> > >> > >> > #++0:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 >> > !1421093166 C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel >> > >> > #++312832:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 >> > !1421129146 C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel >> > >> > #!+465920:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 >> > !1421165040 C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel >> > >> > !!!619520:33206:0:0:f5679adb3c830f61d8fed1c287d42e62:5546733b9afdb2a403c8e58f85c74af2739ddb58 >> > !1421201008 C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel >> > >> > And in logs: >> > >> > Jan 13 07:05:46 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity >> > checksum changed for: 'C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' >> > >> > Jan 13 17:04:00 a.b.c.d ossec: Alert Level: 7; Rule: 550 - Integrity >> > checksum changed.; Location: (hostname) a.b.c.d->syscheck; Integrity >> > checksum changed for: 'C:\Program Files/Microsoft SQL >> > Server/MSSQL11.APPS/MSSQL/Log/system_health_0_130655447155770000.xel' >> > >> > >> > I just realized that the .xel file seems to be a log file and may change >> > often - may this be the cause? >> > >> >> The hashes are there in the syscheck db, but not in your syslog >> messages. I'm guessing that adding the hashes makes the messages too >> long so they were trimmed. You can check the alerts.log file for the >> original alerts to see if the hashes are there. >> >> > Thanks, >> > MK >> > >> > On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka <[email protected]> >> >> wrote: >> >> > Hi, >> >> > >> >> > we have Ossec server/agents (2.7.0) for monitoring file integrity. >> >> > Both >> >> > include check_all="yes" in their syscheck configurations. The agents >> >> > work >> >> > perfectly and report file changes including their old/current MD5 and >> >> > SHA1 >> >> > hashes. However, logs from the Ossec server machine report only file >> >> > changes, but don't include the hashes. >> >> > >> >> > Did any of you encounter this issue? How should I debug it? >> >> > >> >> >> >> >> >> Can you show us an example? >> >> Do the hashes exist in the syscheck db for the manager? >> >> >> >> > Thanks >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/RVTdJCErFSo/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
