Hi, I've been having an issue where OSSEC is not sending the checksum data in the syslog alerts. Below is an example of what I am seeing (alerts log). This doesn't happen all the time but has been becoming more and more of an issue:
2017 May 05 17:42:37 (me.me.com) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed' Integrity checksum changed for: '/home/testuser/test.txt' Size changed from '2560' to '35292' However, looking at the file with 'syscheck_control', you can see that it captured the checksums: /var/ossec/bin/syscheck_control -i xxxx -f /home/testuser/test.txt 2017 May 05 17:42:37,2 - /home/testuser/test.txt File changed. - 2nd time modified. Integrity checking values: Size: >35292 Perm: rw-r--r-- Uid: 5004 Gid: 5003 Md5: a76ea51c577dce4946efc621b3d7ac17 Sha1: 74e82b2399f36d465a541e54a977a9b062b58c67 Has anyone ever seen this before? agent.conf entry: <directories check_all="yes" realtime="yes">/home/testuser</directories> Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
