Hi Chris, It's really curious that Syscheck creates the diff file but doesn't send it. There should be no difference between configuring it in real-time or not.
I see that the diff file matches the actual change by the size difference. However, did you see any error at the /var/ossec/logs/ossec.log file that could be related to this issue? Anything like: ERROR: Unable to generate diff alert. Best regards. On Thu, Feb 9, 2017 at 1:51 PM, Chris Decker <ch...@chris-decker.com> wrote: > All, > > I have hundreds of machines that are (supposed to be) all configured > exactly the same way via kickstarts and periodic Puppet runs. I've noticed > that sometimes a Puppet push will modify a file across all of our machines, > and the resulting syscheck notifications are a mixed bag - some have the > report_change included (the *diff*), and others generate an alert but > lack the report_change details. > > I'm scratching my head trying to figure out why it's working on some and > not others. Below are some details on a machine where report_change is > failing: > > *OSSEC Agent Version:* > > ossec-hids-agent-2.9.0-48.el6.art.x86_64 > ossec-hids-2.9.0-48.el6.art.x86_64 > > > *inotify-tools Version:* > > rpm -qa | grep -i inotify > inotify-tools-3.14-1.el6.x86_64 > > > *E-mail Notification:* > > Received From: (removed) 1.2.3.4->syscheck > Rule: 102907 fired (level 7) -> "File integrity changed, likely security > relevant" > Portion of the log(s): > > Integrity checksum changed for: '/etc/security/limits.conf' > Size changed from '1885' to '1927' > Old md5sum was: 'a639c5c0ea72bcb59c6a1379f6baa797' > New md5sum is : '301d246e310c78c2c76ef69cdefe00d1' > Old sha1sum was: '579006cf4e04899e05ff7812dc6a6c17500753fb' > New sha1sum is : '714e5ffa5da1b684d0d591b5a822460b8c8ba4c3' > > > *OSSEC Manager syscheck_control Output:* > > /var/ossec/bin/syscheck_control -i 2337 -f /etc/security/limits.conf > > Integrity changes for agent 'removed (2337) - 1.2.3.4': > Detailed information for entries matching: '/etc/security/limits.conf' > > 2017 Jan 31 12:55:42,0 - /etc/security/limits.conf > File added to the database. > Integrity checking values: > Size: 1885 > Perm: rw-r--r-- > Uid: 0 > Gid: 0 > Md5: a639c5c0ea72bcb59c6a1379f6baa797 > Sha1: 579006cf4e04899e05ff7812dc6a6c17500753fb > > 2017 Feb 09 15:51:49,0 - /etc/security/limits.conf > File changed. - 1st time modified. > Integrity checking values: > Size: >1927 > Perm: rw-r--r-- > Uid: 0 > Gid: 0 > Md5: >301d246e310c78c2c76ef69cdefe00d1 > Sha1: >714e5ffa5da1b684d0d591b5a822460b8c8ba4c3 > > > *The logs on the Agent do show that real-time monitoring was started prior > to this change…* > > 2017/02/07 20:56:23 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > … > 2017/02/07 21:30:07 ossec-syscheckd: INFO: Real time file monitoring > started. > > > *Strangely enough, the diff file does exist on the filesystem for this > machine:* > > cat /var/ossec/queue/diff/local/etc/security/limits.conf/diff.1486673498 > 52a53,54 > > * soft stack 10240 > > * hard stack unlimited > > > # 1486673498 converts to Thursday February 09, 2017 15:51:38 (pm) > > > *As far as I can tell my agent.conf is correct (and remember I use this > agent.conf across hundreds of nodes):* > > <agent_config os="Linux"> > <syscheck> > <auto_ignore>no</auto_ignore> > <frequency>79200</frequency> > > <directories realtime="yes" report_changes="yes" check_all="yes">/etc</ > directories> > </syscheck> > … > > > *Permissions of /var/ossec/tmp:* > > ls -ld /var/ossec/tmp/ > dr-xr-x--- 2 root ossec 4096 Feb 9 16:27 /var/ossec/tmp/ > > > > > Any thoughts on what could be causing this? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.