We have been using ossec 2.8.2 for about 5 years now to monitor an array of 25 servers in various locations without problems, until... May 19, around 2 weeks ago.
Since then, per the subject line, we have seen no updates at all in the 'Latest modified files (for all agents)'. The last entries there are for May 19, then nothing after that. Normally there is a list of file changes most days as you might expect. However: - All of the agents continue to report in (the 'Main' tab shows a last keep alive in the last few minutes for all agents) - Latest events shows a steady stream of current entries, so we're confident that the agents are talking to the manager - Analogi shows a graphical analysis of recent events - but excluding any file checksum change events All systems (except for a couple of windows machines) are running Ubuntu or Debian. We have tried restarting the Manager processes (many times), and also one local agent that we can easily monitor closely. We tried this process <https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates> to empty and recreate the syscheck file for that one agent, and it successfully recreates the syscheck file for that agent but with only 2 entries, but still I do not see anything in the 'Latest modified files (for all agents)'. That two-entry result sounds like this issue <https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#syscheck-not-sending-any-file-data-to-the-server>, except the OS and version are different there. To answer the obvious question, we cannot find anything relevant that changed around that May 19 time, and for example I have done a find for ossec manager config files modified at that time or after - there are none (we do occasionally make edits to the configuration obviously). To my eyes the manager logs do not show any messages related to our problem. I am at a loss to know where to suggest we turn next in terms of debugging, and I would hugely appreciate any advice on where to look next for hints as to what our problem might be. Thank you so much in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/43d18657-889f-4cec-bbc2-345b519222d5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.