syscheck logs even after restart sometimes #1289
Comments
|
I think the md5 whitelist feature is in master. Other than that, not much you can do. |
|
Is it possible that on startup for some reason the database is not updated before it starts alerting? so in some cases, there's a race? |
|
I'm not sure what you mean. If an entry in the database gets updated, there should generally be an alert. |
|
So what i need to happen is this. stop ossec, update some rpms, start ossec, but don't have it alert on the rpm update. normally this works fine, but sometimes, we get an alert. i'm not sure why. |
|
If the MD5 whitelisting is in MASTER, you can populate the sqlite3 database with the correct hashes and file names. You can also clear the database before running the updates so everything that gets added is new. |
|
is there a way to stop osec, make the rpm updates, then tell ossec update the db with all (the full OS fs) changes before starting realtime monitoring alerting? |
|
Not out of the box. If you can figure out how to get the hashes of the files, scripting a solution wouldn't be the worst. |
|
The part that i still don't understand is why does it alert sometimes in syscheck realtime and other times it doesn't? in this example: stop ossec, update rpms, start ossec. |
|
If you have not turned off auto_ignore, that could affect things. Other than that, I don't know. |
|
I have auto_ignore set to no. |
I'm not sure if this is a bug or by design, what i want to do is not have syscheck alert on a file change if I know there are changes taking place, for example, yum update (390 rpms installed as part of os update).
what i thought you could do is just stop ossec, update, then start it back up. most of the time, it will not alert on the changes, but in some cases, i've noticed it does alert after the restart on some file, and some times. is that a bug?
Is there a better way to suppress alerting without stopping ossec?
Thanks.
The text was updated successfully, but these errors were encountered: