I have reproduced your configuration on my labs, rootcheck is not starting again. Could you re-verify that agent.conf file is right on your agent?
On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: > > 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). > 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. > 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. > 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file configured. > 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. > > The start of the scan is right after the restart of the ossed-hids restart > from the original post > > On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: >> >> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon <gersh...@gmail.com> >> wrote: >> > Hey, >> > >> > I tried to disabled the rootcheck on one of the servers. >> > I have added the following line to the agent.conf file - >> > >> > <rootcheck> >> > <disabled>yes</disabled> >> > </rootcheck> >> > >> > and after I am restarting the service I get the following output - >> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck >> > disabled. Exiting. >> > ossec-syscheckd: WARN: Rootcheck module disabled. >> > >> > and a few min later I see in the logs that the rootcheck is running >> again. >> > any one have an idea why did I miss? >> > >> >> Which log messages are you seeing specifically? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.