On Mon, Oct 17, 2016 at 2:46 PM, Sunny Day <t425...@gmail.com <javascript:>> > wrote: > > > > > I have roughly 120 clients reporting to one server. I see frequent > > occasions where new or changed files (sometimes with realtime enabled, > > sometimes not) seem to be reported by syscheck days, weeks, or even > months > > after they were known to be added or modified. >
> Is there a specific directory or area of the file system that is > exhibiting these issues? > I don't have enough data to say, but I will try to find a pattern. I do most often see it in /usr and /lib, but that may simply be because that's where most file changes occur during updates. Those directories do not have realtime checking enabled. > How big is the syscheck db for the agents with this issue? > At the time you asked, each file was around 40 to 50MB. > Could you try clearing the db and running a new baseline? > I have done this, as of Oct. 20. I did: /var/ossec/bin/syscheck_control -u all then /var/ossec/bin/agent_control -r -a That was also done on the 20th sometime. It looks like syscheck's reports are still decidedly asynchronous by at least days. One example from today's logs: /var/ossec/logs/archives/archives.log:2016 Oct 24 07:34:57 (sample.client) 172.21.255.111 >syscheck New file '/usr/src/linux-headers-3.13.0-98-generic/include/config/edac.h' added to the file system. That file was added to the system on October 11. Even if it's expected that it would be reported as new after I cleared the databases on the 20th, I would not expect it to take four days to record. I checked ossec.log* on this client, and syscheck is completing cleanly and reliably twice a day, as expected. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.