On Tue, May 9, 2017 at 11:13 AM, <ptob...@gmail.com> wrote: > Hi, > > I've been having an issue where OSSEC is not sending the checksum data in > the syslog alerts. Below is an example of what I am seeing (alerts log). > This doesn't happen all the time but has been becoming more and more of an > issue: > > > 2017 May 05 17:42:37 (me.me.com) any->syscheck > > Rule: 550 (level 7) -> 'Integrity checksum changed' > > Integrity checksum changed for: '/home/testuser/test.txt' > > Size changed from '2560' to '35292' > > > > > However, looking at the file with 'syscheck_control', you can see that it > captured the checksums: > > /var/ossec/bin/syscheck_control -i xxxx -f /home/testuser/test.txt > > > 2017 May 05 17:42:37,2 - /home/testuser/test.txt > > File changed. - 2nd time modified. > > Integrity checking values: > > Size: >35292 > > Perm: rw-r--r-- > > Uid: 5004 > > Gid: 5003 > > Md5: a76ea51c577dce4946efc621b3d7ac17 > > Sha1: 74e82b2399f36d465a541e54a977a9b062b58c67 > > > > Has anyone ever seen this before? > > agent.conf entry: > > <directories check_all="yes" realtime="yes">/home/testuser</directories> > > Thanks! >
I don't use the syslog output much, so I have never seen this. Are the syslog messages with the missing data long messages? There is a size limit to the message size (1024 bytes maybe?). > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.