Re: [ossec-list] syscheck error
On Mon, Apr 23, 2018 at 6:34 PM, Cooper Graf wrote: > Haha hmm. So any idea why it's throwing an error for me? Is a new release > slated to come out soon? > It's supposed to be soon, I'll have to prod the release manager. It happens in glob() somewhere, but I haven't looked at it further than that yet. > On Mon, Apr 23, 2018 at 4:29 PM dan (ddp) wrote: >> >> On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) wrote: >> > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf >> > wrote: >> >> Is there documentation that explains what a glob is? This worked fine >> >> with >> >> 2.7. >> >> >> > >> > I don't think so. I just tried it on a 3.x system and didn't get the >> > error. Still waiting on results to see if it checks properly. >> > >> > >> > >> > 1800 >> > no >> > >> > >> > /etc,/usr/bin,/usr/sbin >> > /bin,/sbin,/boot >> > /var/test >> > /var/test2 >> > /home/*/.ssh >> > >> > ix# grep home /var/ossec/logs/ossec.log >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ansible/.ssh', with options perm | size | owner | group | >> > md5sum | sha256sum. >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | >> > sha256sum. >> > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum >> > | sha256sum. >> > >> >> Hit send too early, the files were successfully checked and catalogued >> on this system. >> >> > >> > And on a slightly older agent: >> > >> > >> > 79200 >> > >> > >> > /etc,/usr/bin,/usr/sbin >> > /bin,/sbin,/boot >> > /home/*/.ssh >> > >> > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log >> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/ansible/.ssh', with options perm | size | owner | group | >> > md5sum | sha1sum. >> > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: >> > '/home/checker/.ssh', with options perm | size | owner | group | >> > md5sum | sha1sum. >> > >> > >> >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: >> >>> >> >>> >> >>> >> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: >> >> I am getting the following error from syscheckd when starting up >> OSSEC >> 2.9.3: >> >> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> pattern: '/home/*/.ssh'. >> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> pattern: '/home/*/.ssh/'. >> >> Inside of my ossec.conf file, I have this line, which seems to be >> generating the error: >> >> /home/*/.ssh/ >> >> Any idea what is invalid about that pattern? >> >> -- >> >>> >> >>> >> >>> I don't think globs are valid in the syscheck configuration. >> >>> >> >>> >> >> >> --- >> You received this message because you are subscribed to the Google >> Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+unsubscr...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to o
Re: [ossec-list] syscheck error
Haha hmm. So any idea why it's throwing an error for me? Is a new release slated to come out soon? On Mon, Apr 23, 2018 at 4:29 PM dan (ddp) wrote: > On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) wrote: > > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf > wrote: > >> Is there documentation that explains what a glob is? This worked fine > with > >> 2.7. > >> > > > > I don't think so. I just tried it on a 3.x system and didn't get the > > error. Still waiting on results to see if it checks properly. > > > > > > > > 1800 > > no > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin,/boot > > /var/test > > /var/test2 > > /home/*/.ssh > > > > ix# grep home /var/ossec/logs/ossec.log > > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > > '/home/ansible/.ssh', with options perm | size | owner | group | > > md5sum | sha256sum. > > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | > > sha256sum. > > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum > > | sha256sum. > > > > Hit send too early, the files were successfully checked and catalogued > on this system. > > > > > And on a slightly older agent: > > > > > > 79200 > > > > > > /etc,/usr/bin,/usr/sbin > > /bin,/sbin,/boot > > /home/*/.ssh > > > > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log > > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > > '/home/ansible/.ssh', with options perm | size | owner | group | > > md5sum | sha1sum. > > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > > '/home/checker/.ssh', with options perm | size | owner | group | > > md5sum | sha1sum. > > > > > >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: > >>> > >>> > >>> > >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: > > I am getting the following error from syscheckd when starting up OSSEC > 2.9.3: > > 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid > pattern: '/home/*/.ssh'. > 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid > pattern: '/home/*/.ssh/'. > > Inside of my ossec.conf file, I have this line, which seems to be > generating the error: > > /home/*/.ssh/ > > Any idea what is invalid about that pattern? > > -- > >>> > >>> > >>> I don't think globs are valid in the syscheck configuration. > >>> > >>> > > > --- > You received this message because you are subscribed to the Google > Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, > send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > >>> > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+unsubscr...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck error
On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) wrote: > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf wrote: >> Is there documentation that explains what a glob is? This worked fine with >> 2.7. >> > > I don't think so. I just tried it on a 3.x system and didn't get the > error. Still waiting on results to see if it checks properly. > > > > 1800 > no > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin,/boot > /var/test > /var/test2 > /home/*/.ssh > > ix# grep home /var/ossec/logs/ossec.log > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ansible/.ssh', with options perm | size | owner | group | > md5sum | sha256sum. > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: > '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum > | sha256sum. > Hit send too early, the files were successfully checked and catalogued on this system. > > And on a slightly older agent: > > > 79200 > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin,/boot > /home/*/.ssh > > root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > '/home/ansible/.ssh', with options perm | size | owner | group | > md5sum | sha1sum. > 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: > '/home/checker/.ssh', with options perm | size | owner | group | > md5sum | sha1sum. > > >> On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: >>> >>> >>> >>> On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: I am getting the following error from syscheckd when starting up OSSEC 2.9.3: 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh'. 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh/'. Inside of my ossec.conf file, I have this line, which seems to be generating the error: /home/*/.ssh/ Any idea what is invalid about that pattern? -- >>> >>> >>> I don't think globs are valid in the syscheck configuration. >>> >>> --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck error
On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf wrote: > Is there documentation that explains what a glob is? This worked fine with > 2.7. > I don't think so. I just tried it on a 3.x system and didn't get the error. Still waiting on results to see if it checks properly. 1800 no /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /var/test /var/test2 /home/*/.ssh ix# grep home /var/ossec/logs/ossec.log 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: '/home/ansible/.ssh', with options perm | size | owner | group | md5sum | sha256sum. 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: '/home/ddp/.ssh', with options perm | size | owner | group | md5sum | sha256sum. 2018/04/23 18:20:17 ossec-syscheckd: INFO: Monitoring directory: '/home/ddpbsd/.ssh', with options perm | size | owner | group | md5sum | sha256sum. And on a slightly older agent: 79200 /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /home/*/.ssh root@kaitain:~# grep 'home' /var/ossec/logs/ossec.log 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: '/home/ansible/.ssh', with options perm | size | owner | group | md5sum | sha1sum. 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: '/home/checker/.ssh', with options perm | size | owner | group | md5sum | sha1sum. > On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: >> >> >> >> On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: >>> >>> I am getting the following error from syscheckd when starting up OSSEC >>> 2.9.3: >>> >>> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: >>> 'sshd_rules.xml' >>> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid >>> pattern: '/home/*/.ssh'. >>> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: >>> 'sshd_rules.xml' >>> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid >>> pattern: '/home/*/.ssh/'. >>> >>> Inside of my ossec.conf file, I have this line, which seems to be >>> generating the error: >>> >>> /home/*/.ssh/ >>> >>> Any idea what is invalid about that pattern? >>> >>> -- >> >> >> I don't think globs are valid in the syscheck configuration. >> >> >>> >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck error
Is there documentation that explains what a glob is? This worked fine with 2.7. On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: > > > On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: > >> I am getting the following error from syscheckd when starting up OSSEC >> 2.9.3: >> >> 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> pattern: '/home/*/.ssh'. >> 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid >> pattern: '/home/*/.ssh/'. >> >> Inside of my ossec.conf file, I have this line, which seems to be >> generating the error: >> >> /home/*/.ssh/ >> >> Any idea what is invalid about that pattern? >> >> -- >> > > I don't think globs are valid in the syscheck configuration. > > > >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck error
On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: > I am getting the following error from syscheckd when starting up OSSEC > 2.9.3: > > 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid > pattern: '/home/*/.ssh'. > 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid > pattern: '/home/*/.ssh/'. > > Inside of my ossec.conf file, I have this line, which seems to be > generating the error: > > /home/*/.ssh/ > > Any idea what is invalid about that pattern? > > -- > I don't think globs are valid in the syscheck configuration. > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] syscheck error
I am getting the following error from syscheckd when starting up OSSEC 2.9.3: 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh'. 2018/04/16 13:04:35 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2018/04/16 13:04:35 ossec-syscheckd(1121): ERROR: Glob error. Invalid pattern: '/home/*/.ssh/'. Inside of my ossec.conf file, I have this line, which seems to be generating the error: /home/*/.ssh/ Any idea what is invalid about that pattern? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] syscheck error with large files
I figured out what the problem is - OSSEC gets the file size and stores it in an 'int'. For large files > 2GB, the value in the int overflow into a negative range. When ossec sees a negative value for size, it assumes that the file has been deleted. So I guess the fix would be to change the variable holding the size to a long instead of an int. On Wed, Apr 11, 2012 at 10:40 AM, Christopher Moraes wrote: > OSSEC running on Debian (2.6.31.6 kernel) on a 64 bit env. > > I have noticed a similar problem on RHEL 5 also. Though the error is > different. (Size goes into negative values) > > > On Wed, Apr 11, 2012 at 9:15 AM, dan (ddp) wrote: > >> What OS? >> >> On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes >> wrote: >> > Hi, >> > >> > Has anyone noticed a bug when running syscheck with large files (> 2 >> GB)? >> > >> > I created a test file of 750 MB and ran syscheck. The file was added >> > correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck >> > >> > >> +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b >> > !1334071299 /var/log/remote/large-file.log >> > >> > I then appended logs to the file to create a 3GB file >> > -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log >> > >> > I ran syscheck again and then noticed a weird alert >> > >> > ** Alert 1334072743.333516: mail - ossec,syscheck, >> > 2012 Apr 10 11:45:43 cbvmalv01->syscheck >> > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' >> > Src IP: (none) >> > User: (none) >> > File '/var/log/remote/large-file.log' was deleted. Unable to retrieve >> > checksum. >> > >> > The file has not been deleted and is still present in the directory. >> > >> > Additionally, I see that the syscheck DB shows the file as deleted, but >> with >> > a new entry showing the same file with 1 change. >> > >> > >> #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b >> > !1334071299 /var/log/remote/large-file.log >> > >> !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 >> > !1334072743 /var/log/remote/large-file.log >> > >> > Also, the file size is wrong (1273172824 instead of 3021794472) >> > >> > Has anyone else noticed this? Is there a workaround or a fix? >> > >> > Regards, >> > Chris >> > >> > >> > >
Re: [ossec-list] syscheck error with large files
OSSEC running on Debian (2.6.31.6 kernel) on a 64 bit env. I have noticed a similar problem on RHEL 5 also. Though the error is different. (Size goes into negative values) On Wed, Apr 11, 2012 at 9:15 AM, dan (ddp) wrote: > What OS? > > On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes > wrote: > > Hi, > > > > Has anyone noticed a bug when running syscheck with large files (> 2 GB)? > > > > I created a test file of 750 MB and ran syscheck. The file was added > > correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck > > > > > +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > > !1334071299 /var/log/remote/large-file.log > > > > I then appended logs to the file to create a 3GB file > > -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log > > > > I ran syscheck again and then noticed a weird alert > > > > ** Alert 1334072743.333516: mail - ossec,syscheck, > > 2012 Apr 10 11:45:43 cbvmalv01->syscheck > > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > > Src IP: (none) > > User: (none) > > File '/var/log/remote/large-file.log' was deleted. Unable to retrieve > > checksum. > > > > The file has not been deleted and is still present in the directory. > > > > Additionally, I see that the syscheck DB shows the file as deleted, but > with > > a new entry showing the same file with 1 change. > > > > > #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > > !1334071299 /var/log/remote/large-file.log > > > !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 > > !1334072743 /var/log/remote/large-file.log > > > > Also, the file size is wrong (1273172824 instead of 3021794472) > > > > Has anyone else noticed this? Is there a workaround or a fix? > > > > Regards, > > Chris > > > > >
Re: [ossec-list] syscheck error with large files
What OS? On Tue, Apr 10, 2012 at 5:02 PM, Christopher Moraes wrote: > Hi, > > Has anyone noticed a bug when running syscheck with large files (> 2 GB)? > > I created a test file of 750 MB and ran syscheck. The file was added > correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck > > +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > !1334071299 /var/log/remote/large-file.log > > I then appended logs to the file to create a 3GB file > -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log > > I ran syscheck again and then noticed a weird alert > > ** Alert 1334072743.333516: mail - ossec,syscheck, > 2012 Apr 10 11:45:43 cbvmalv01->syscheck > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > Src IP: (none) > User: (none) > File '/var/log/remote/large-file.log' was deleted. Unable to retrieve > checksum. > > The file has not been deleted and is still present in the directory. > > Additionally, I see that the syscheck DB shows the file as deleted, but with > a new entry showing the same file with 1 change. > > #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b > !1334071299 /var/log/remote/large-file.log > !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 > !1334072743 /var/log/remote/large-file.log > > Also, the file size is wrong (1273172824 instead of 3021794472) > > Has anyone else noticed this? Is there a workaround or a fix? > > Regards, > Chris > >
[ossec-list] syscheck error with large files
Hi, Has anyone noticed a bug when running syscheck with large files (> 2 GB)? I created a test file of 750 MB and ran syscheck. The file was added correctly to the syscheck DB in /var/ossec/queue/syscheck/syscheck +++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b !1334071299 /var/log/remote/large-file.log I then appended logs to the file to create a 3GB file -rw-r- 1 root root 3021794472 Apr 10 11:35 large-file.log I ran syscheck again and then noticed a weird alert ** Alert 1334072743.333516: mail - ossec,syscheck, 2012 Apr 10 11:45:43 cbvmalv01->syscheck Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' Src IP: (none) User: (none) File '/var/log/remote/large-file.log' was deleted. Unable to retrieve checksum. The file has not been deleted and is still present in the directory. Additionally, I see that the syscheck DB shows the file as deleted, but with a new entry showing the same file with 1 change. #++755439186:33184:0:0:547ce19e677e67506bbf9ef7b4c6f42f:6036d5f6813b59fd1b461a59184b0e8ffb26a11b !1334071299 /var/log/remote/large-file.log !++-1273172824:33184:0:0:4fb16a0f6a905610fac619de9a868a8a:78d47e0ff6212c55c6aa87c77cdff88b4de6b830 !1334072743 /var/log/remote/large-file.log Also, the file size is wrong (1273172824 instead of 3021794472) Has anyone else noticed this? Is there a workaround or a fix? Regards, Chris
