I checked again the logs - 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan. 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured. 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured. 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan.
The log says the check did run, Is there another configuration file I might be missing? On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote: > > I have reproduced your configuration on my labs, rootcheck is not starting > again. Could you re-verify that agent.conf file is right on your agent? > > On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: >> >> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). >> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. >> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file configured. >> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> The start of the scan is right after the restart of the ossed-hids >> restart from the original post >> >> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: >>> >>> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon <gersh...@gmail.com> >>> wrote: >>> > Hey, >>> > >>> > I tried to disabled the rootcheck on one of the servers. >>> > I have added the following line to the agent.conf file - >>> > >>> > <rootcheck> >>> > <disabled>yes</disabled> >>> > </rootcheck> >>> > >>> > and after I am restarting the service I get the following output - >>> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck >>> > disabled. Exiting. >>> > ossec-syscheckd: WARN: Rootcheck module disabled. >>> > >>> > and a few min later I see in the logs that the rootcheck is running >>> again. >>> > any one have an idea why did I miss? >>> > >>> >>> Which log messages are you seeing specifically? >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
