Hi Eyal, try setting syscheck.debug=2 in internal_options.conf file. It looks like there are some rootchecks that still run, unless you set those to no, like check_pids, check_dev, check_ports,... see more info at:
On Mon, Apr 18, 2016 at 12:13 PM, <joe.cosgr...@wazuh.com> wrote: > Interesting... that should be the only config that you need to update in > order to disable the root check. I tried it in my lab and disabled it > properly as well. > > > On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote: >> >> I checked again the logs - >> >> 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured. >> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured. >> 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> The log says the check did run, >> Is there another configuration file I might be missing? >> >> On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote: >>> >>> I have reproduced your configuration on my labs, rootcheck is not >>> starting again. Could you re-verify that agent.conf file is right on your >>> agent? >>> >>> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: >>>> >>>> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). >>>> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. >>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. >>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file >>>> configured. >>>> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. >>>> >>>> The start of the scan is right after the restart of the ossed-hids >>>> restart from the original post >>>> >>>> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: >>>>> >>>>> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon <gersh...@gmail.com> >>>>> wrote: >>>>> > Hey, >>>>> > >>>>> > I tried to disabled the rootcheck on one of the servers. >>>>> > I have added the following line to the agent.conf file - >>>>> > >>>>> > <rootcheck> >>>>> > <disabled>yes</disabled> >>>>> > </rootcheck> >>>>> > >>>>> > and after I am restarting the service I get the following output - >>>>> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck >>>>> > disabled. Exiting. >>>>> > ossec-syscheckd: WARN: Rootcheck module disabled. >>>>> > >>>>> > and a few min later I see in the logs that the rootcheck is running >>>>> again. >>>>> > any one have an idea why did I miss? >>>>> > >>>>> >>>>> Which log messages are you seeing specifically? >>>>> >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the Google >>>>> Groups >>>>> > "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an >>>>> > email to ossec-list+...@googlegroups.com. >>>>> > For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.