I'm confused. I have a working agentless setup for my 1 test node, but I am not seeing any data in logs/alerts/alerts.log indicating that an alert was triggered when I modify files that are being integrity checked.
The stanza in the manager's ossec.conf (then I restarted ossec of course):
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>30</frequency>
<host>use_sudo admin@agentless-test-rh6</host>
<state>periodic</state>
<arguments>/var/www</arguments>
</agentless>
On the remote host, I change the contents of a monitored file:
[root@agentless-test-rh6 log]# echo eoweho34rt34 > /var/www/html/new.txt
[root@agentless-test-rh6 log]#
I see agentlessd do its thing as reported in logs/ossec.log:
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Login seems okay
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: use_sudo specified and 'sudo sh;' worked.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Arguments: /var/www
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Starting.
2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: admin@agentless-test-rh6: Finished.
Yet:
root@ossec:/var/ossec/logs# grep agentless-test-rh6 alerts/alerts.log
root@ossec:/var/ossec/logs#
If I change the contents of the monitored file again and run ssh_integrity_check_linux by hand, I see this and can confirm the hash being reported here has in fact changed and that the script is doing its work:
root@ossec:/var/ossec# sudo -u ossec agentless/ssh_integrity_check_linux use_sudo admin@agentless-test-rh6 /var/www
...
FWD: 18:600:0:0:2b7c78d8e06d2bf9c141140d08def55b:172e523b4603eecd3d18aa1d68bd4811077339fb /var/www/html/new.txt
FWD: 584:600:0:0:ab8c863437db6318a3b5a9f98a0dac76:91b00d2b0f00dea53daf063e500df2bb4c1050d7 /var/www/html/index.html
...
Any thoughts on why there's no alert recorded? I have no trouble getting hash change alerts from hosts that are running the agents.