I have been using Ossec on a couple of my servers for several years now. I
recently updated one of them to Ubuntu 14.04 server edition and found that
the agent running on that machine was no longer communicating with the
server. I took this as an opportunity to upgrade both machines from
So after some investigating it seems what's ACTUALLY happening is that the
realtime notifications aren't working, and the syscheck 20 hour scan is
picking up the changes. Thus, one could reasonably (I think) interpret this
as delayed realtime notifications.
I certainly have the realtime="yes"
I hadn't really considered the mail server may be the problem - we
naturally utilize sendmail to offload the notifications and route them
through our corporate O365 exchange server.
I was getting some integrity changes hours after the changes actually
occurred (on boxes with realtime=yes and
Thank you Victor.
We tried with both 2.8.2 as well as the 2.8.3 version. But both were throwing
error for make.
The changes were made as suggested, however there were some errors and not sure
if all the executables were created.
These are the only exe files under src\win-pkg
04/14/2016
Thank you Victor.
We tried with both 2.8.2 as well as the 2.8.3 version. But both were throwing
error for make.
The changes were made as suggested, however there were some errors and not sure
if all the executables were created.
These are the only exe files under src\win-pkg
04/14/2016
2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101).
2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured.
2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file configured.
2016/04/14
On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon wrote:
> Hey,
>
> I tried to disabled the rootcheck on one of the servers.
> I have added the following line to the agent.conf file -
>
>
> yes
>
>
> and after I am restarting the service I get the following output -
>
On Wed, Apr 13, 2016 at 2:49 PM, Rob B wrote:
> Thanks, that gave me the food for thought I needed...
> I will push my packages with updated .conf files for agents in an automated
> "update like" fashion.
>
> Will test the directory that ossec agent needs to fire my package
Hey,
I tried to disabled the rootcheck on one of the servers.
I have added the following line to the agent.conf file -
yes
and after I am restarting the service I get the following output -
Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck
disabled. Exiting.