[ossec-list] Where does agentless data go? No alerts on hash changes.

Mon, 23 Feb 2015 13:37:25 -0800 

I'm confused. I have a working agentless setup for my 1 test node, but I am 
not seeing any data in logs/alerts/alerts.log indicating that an alert was 
triggered when I modify files that are being integrity checked.

The stanza in the manager's ossec.conf (then I restarted ossec of course):

<agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>30</frequency>
    <host>use_sudo admin@agentless-test-rh6</host>
    <state>periodic</state>
    <arguments>/var/www</arguments>
</agentless>
On the remote host, I change the contents of a monitored file:

[root@agentless-test-rh6 log]# echo eoweho34rt34 > /var/www/html/new.txt
[root@agentless-test-rh6 log]#
I see agentlessd do its thing as reported in logs/ossec.log:

2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: Login seems okay
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: use_sudo specified and 'sudo sh;' worked.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: Arguments: /var/www
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: Starting.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: Finished.
Yet:

root@ossec:/var/ossec/logs# grep agentless-test-rh6 alerts/alerts.log
root@ossec:/var/ossec/logs#


If I change the contents of the monitored file again and run 
ssh_integrity_check_linux by hand, I see this and can confirm the hash 
being reported here has in fact changed and that the script is doing its 
work:

root@ossec:/var/ossec# sudo -u ossec agentless/ssh_integrity_check_linux 
use_sudo admin@agentless-test-rh6 /var/www

...
FWD: 
18:600:0:0:2b7c78d8e06d2bf9c141140d08def55b:172e523b4603eecd3d18aa1d68bd4811077339fb
 /var/www/html/new.txt
FWD: 
584:600:0:0:ab8c863437db6318a3b5a9f98a0dac76:91b00d2b0f00dea53daf063e500df2bb4c1050d7
 /var/www/html/index.html
...


Any thoughts on why there's no alert recorded? I have no trouble getting 
hash change alerts from hosts that are running the agents.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to