OSSEC Syslog Entries Missing Checksum Data

[pto...@gmail.com]

Hi,

I've been having an issue where OSSEC is not sending the checksum data in the syslog alerts. Below is an example of what I am seeing (alerts log). This doesn't happen all the time but has been becoming more and more of an issue:

2017 May 05 17:42:37 (me.me.com) any->syscheck

Rule: 550 (level 7) -> 'Integrity checksum changed'

Integrity checksum changed for: '/home/testuser/test.txt'

Size changed from '2560' to '35292'

However, looking at the file with 'syscheck_control', you can see that it captured the checksums:

/var/ossec/bin/syscheck_control -i xxxx -f /home/testuser/test.txt

2017 May 05 17:42:37,2 - /home/testuser/test.txt

File changed. - 2nd time modified.

Integrity checking values:

   Size: >35292

   Perm: rw-r--r--

   Uid:  5004

   Gid:  5003

   Md5:  a76ea51c577dce4946efc621b3d7ac17

   Sha1: 74e82b2399f36d465a541e54a977a9b062b58c67

Has anyone ever seen this before?

agent.conf entry:

<directories check_all="yes" realtime="yes">/home/testuser</directories> 

Thanks!

[dan (ddp)]

I don't use the syslog output much, so I have never seen this.
Are the syslog messages with the missing data long messages? There is
a size limit to the message size (1024 bytes maybe?).

>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.