All, I've been experiencing issues with the new report_changes feature of syscheck since 2.5 was released. I was on IRC earlier and was told the bug was known and that a fix was included in the latest snapshot, but I'm still seeing the same issues. For what its worth I really find great value in the new report_changes feature and cannot wait until it works as smoothly as the rest of OSSEC!
*Details*: agent.conf <directories check_all="yes" realtime="yes" report_changes="yes">/etc/test</directories> ossec.log on manager: 2010/10/04 20:35:30 XXXX syscheck data: 1c1 < TestTest`1234idfdasfdasf5 --- > Tesingt 2010/10/04 20:35:30 ossec-remoted: socketerr (not available). 2010/10/04 20:35:30 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2010/10/04 20:35:31 ossec-logcollector: socketerr (not available). 2010/10/04 20:35:31 ossec-logcollector(1224): ERROR: Error sending message to queue. 2010/10/04 20:35:33 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2010/10/04 20:35:33 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2010/10/04 20:35:34 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2010/10/04 20:35:34 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2010/10/04 21:04:37 ossec-monitord: socketerr (not available). 2010/10/04 21:04:37 ossec-monitord(1224): ERROR: Error sending message to queue. The first modification always crashes remoted, logcollector and analysisd: ossec-monitord is running... ossec-logcollector: Process 19157 not used by ossec, removing .. ossec-logcollector not running... ossec-remoted: Process 19162 not used by ossec, removing .. ossec-remoted not running... ossec-syscheckd is running... ossec-analysisd: Process 19153 not used by ossec, removing .. ossec-analysisd not running... ossec-maild is running... ossec-execd not running... While I'm pointing out issues with syscheck, I've noticed that most changes I make are reported as also changing the file size from (actual number) to 0. The group suggested I check the inode to verify they did not change--they did not. I have reproduced this issue with Ubuntu 10.10 talking to a CentOS 5.5 server. In my lab environment at work I can reproduce the same issue using RedHat 5.5 both ways. I do not have IRC access during the day, but am typically on during the night and could help troubleshoot with anyone willing to work with me. Any help would be appreciated. Thanks, Chris
