Can anyone explain the syntax of the file "/opt/ossec/queue/syscheck"?
140 views
Skip to first unread message
Marcos Tang
Feb 29, 2012, 12:55:10 AM2/29/12
to ossec...@googlegroups.com
Hi,
I find my OSSEC server keeps "reporting" a file is changed. I checked that file check sum and timestamp and it has nothing change, as far as I can tell.
When I try to see what is going on inside the file "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I find there are 2 entries related to the same object.
The first line below should be created first with a "+++" at the beginning of that line. Somehow, when OSSEC server reports there is a change, it create the last line.
Can anyone explain what is the meaning of "+++" & "!++" and what is the meaning of "!132863#281" and "!1330029335"?
[root@myossec_svr syscheck]# cat "(ossec_client) 172.30.XX.XXX ->syscheck"
+++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !132863#281 /opt/syslog-ng/conf/syslog-ng.conf
!++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
Regards,
Marcos
I find my OSSEC server keeps "reporting" a file is changed. I checked that file check sum and timestamp and it has nothing change, as far as I can tell.
When I try to see what is going on inside the file "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I find there are 2 entries related to the same object.
The first line below should be created first with a "+++" at the beginning of that line. Somehow, when OSSEC server reports there is a change, it create the last line.
Can anyone explain what is the meaning of "+++" & "!++" and what is the meaning of "!132863#281" and "!1330029335"?
[root@myossec_svr syscheck]# cat "(ossec_client) 172.30.XX.XXX ->syscheck"
+++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !132863#281 /opt/syslog-ng/conf/syslog-ng.conf
!++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
Regards,
Marcos
dan (ddp)
Feb 29, 2012, 6:03:08 AM2/29/12
to ossec...@googlegroups.com
On Wed, Feb 29, 2012 at 12:55 AM, Marcos Tang <marco...@gmail.com> wrote:
> Hi,
>
> I find my OSSEC server keeps "reporting" a file is changed. I checked that
> file check sum and timestamp and it has nothing change, as far as I can
> tell.
>
> When I try to see what is going on inside the file
> "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I
> find there are 2 entries related to the same object.
>
> The first line below should be created first with a "+++" at the beginning
> of that line. Somehow, when OSSEC server reports there is a change, it
> create the last line.
>
> Can anyone explain what is the meaning of "+++" & "!++" and what is the
> Hi,
>
> I find my OSSEC server keeps "reporting" a file is changed. I checked that
> file check sum and timestamp and it has nothing change, as far as I can
> tell.
>
> When I try to see what is going on inside the file
> "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I
> find there are 2 entries related to the same object.
>
> The first line below should be created first with a "+++" at the beginning
> of that line. Somehow, when OSSEC server reports there is a change, it
> create the last line.
>
> Can anyone explain what is the meaning of "+++" & "!++" and what is the
I'd have to spend some time looking at the source, but I think it
means the file has changed once.
> meaning of "!132863#281" and "!1330029335"?
>
I think those are supposed to be timestamps, but the "#" shouldn't be
there. I'd either delete that entry or clear the syscheck db and start
over for that host.
Marcos Tang
Feb 29, 2012, 6:26:19 AM2/29/12
to ossec...@googlegroups.com
Hi Dan,
Thanks and please share the meaning of those fields with me, when you have a chance to see the source code.
Also thanks for your suggestion and I am going to remove the line having "#" and keep the last one.
Thanks & Regards,
Marcos Regards,
Marcos
From: dan (ddp) <ddp...@gmail.com>
To: ossec...@googlegroups.com
Sent: Wednesday, February 29, 2012 7:03 PM
Subject: Re: [ossec-list] Can anyone explain the syntax of the file "/opt/ossec/queue/syscheck"?
Thanks and please share the meaning of those fields with me, when you have a chance to see the source code.
Also thanks for your suggestion and I am going to remove the line having "#" and keep the last one.
Thanks & Regards,
Marcos
Marcos
From: dan (ddp) <ddp...@gmail.com>
To: ossec...@googlegroups.com
Sent: Wednesday, February 29, 2012 7:03 PM
Subject: Re: [ossec-list] Can anyone explain the syntax of the file "/opt/ossec/queue/syscheck"?
Joao T.
May 6, 2015, 2:50:17 PM5/6/15
to ossec...@googlegroups.com
Hello, this is an old message but couldn't find anything newest about the topic,
According with the previous example:
!++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
In what format is the timestamp? how can I decode !1330029335 into legible date and time?
What does mean these numbers between the file size and the hash: 33188:0:1:
Thanks!
dan (ddp)
May 6, 2015, 2:55:27 PM5/6/15
to ossec...@googlegroups.com
On Wed, May 6, 2015 at 2:47 PM, Joao T. <garc...@gmail.com> wrote:
> Hello, this is an old message but couldn't find anything newest about the
> topic,
>
> According with the previous example:
> !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f24c74bd85d4
> !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
>
> In what format is the timestamp? how can I decode !1330029335 into legible
> date and time?
>
It's in a UNIX epoch time format. Some date commands allow you to
> Hello, this is an old message but couldn't find anything newest about the
> topic,
>
> According with the previous example:
> !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f24c74bd85d4
> !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
>
> In what format is the timestamp? how can I decode !1330029335 into legible
> date and time?
>
convert from this to something easier to read.
> What does mean these numbers between the file size and the hash: 33188:0:1:
>
> Thanks!
>
> On Wednesday, February 29, 2012 at 6:55:10 AM UTC+1, Marcos wrote:
>>
>> Hi,
>>
>> I find my OSSEC server keeps "reporting" a file is changed. I checked that
>> file check sum and timestamp and it has nothing change, as far as I can
>> tell.
>>
>> When I try to see what is going on inside the file
>> "/opt/ossec/queue/syscheck/"(ossec_client) 172.30.XX.XXX -> syscheck", I
>> find there are 2 entries related to the same object.
>>
>> The first line below should be created first with a "+++" at the beginning
>> of that line. Somehow, when OSSEC server reports there is a change, it
>> create the last line.
>>
>> Can anyone explain what is the meaning of "+++" & "!++" and what is the
>> meaning of "!132863#281" and "!1330029335"?
>>
>> [root@myossec_svr syscheck]# cat "(ossec_client) 172.30.XX.XXX ->syscheck"
>>
>> +++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
>> !132863#281 /opt/syslog-ng/conf/syslog-ng.conf
>>
>> !++1486:33188:0:1:a465a2fd02717050ca44d6cc24c5d458:bd37d291ce34e363af853958a31f241c74bd85d4
>> !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
>>
>> Regards,
>> Marcos
>>
>>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Santiago Bassett
May 6, 2015, 6:38:03 PM5/6/15
to ossec...@googlegroups.com
Hi,
this is what I figured out by having a look at the code. Explaining the next line as an example (including some spaces to make it easier to read):
!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/syslog-ng.conf
First three characters are used to count the number of times a file has changed:
+++ 0 changes
!++ 1 change
!!+ 2 chnages
!!! 3 changes
!!? more than 3 changes
The rest of the line fields are:
file_size : file_mode : uid : gid : md5sum : sha1sum !epoch_timestamp file_path
File mode stores the result of (stat.st_mode), and contains file type code (to identify if it is a symbolic link, directory, socket, registry key,...) and access permission bits.
Best,
Santiago.
R Brandt
Aug 30, 2015, 10:45:07 PM8/30/15
to ossec-list
Thanks Santiago,
Seems like I also have some lines that only have a -1 instead of a size:mode:owner:group e.g. !!?-1 !1440433558 /etc/ssh/sshd_config
Does anyone know why that happens? or how to correct it?
Seems like I also have some lines that only have a -1 instead of a size:mode:owner:group e.g. !!?-1 !1440433558 /etc/ssh/sshd_config
Does anyone know why that happens? or how to correct it?
R Brandt
Aug 31, 2015, 1:30:45 PM8/31/15
to ossec-list
I'm betting that the -1 indicates the file is deleted.
Which that file is not deleted. Looking at the archive logs, there seems to be a pattern where some files that change show size went from 9887 to 8798 but others have 2 events where the size goes from 9887 to 0
Then another event where the size goes from 0 to 8798.
It appears that my manager processed the 9887 to 0 but never got the 0 to 8798 event.
Why do some file changes have 2 events and others just 1?
Thanks
Santiago Bassett
Sep 1, 2015, 2:41:17 PM9/1/15
to ossec...@googlegroups.com
Hi,
do you mind sharing those lines from your syscheck database? I would assume -1 is file deleted too, but don't remember on top of my mind.
Best
--
R Brandt
Sep 1, 2015, 3:06:52 PM9/1/15
to ossec-list
Here's one. I can't transfer the actual file since our networks are isolated.
R
!!?-1 !1440433558 /etc/ssh/sshd_config
Reply all
Reply to author
Forward
0 new messages