From OSSEC Wiki

One solution for syscheck not sending any file data to the server

With ossec 1.3 and Fedora you may run into this problem: You have named files you'd like ossec to monitor so you add:

<directories check_all="yes">/var/named</directories>

to ossec.conf on the client. Fedora -- at least as of version 7 -- runs named in a chroot jail under /var/named/chroot. However, part of that chroot jail includes /var/named/chroot/proc. The contents of that directory are purely ephemeral; there is no value to checking their integrity. And, at least in ossec 1.3, your syscheck may stall trying to read those files.

The symptom is a syscheck database on the server that never grows beyond a file or two per restart of the client. The log monitoring continues to work, so you know it's not a communication issue, and you will often see a slight increase in syscheck database file size after the client has restarted (in one case about 20 minutes after). But the database will never be completely built; there will only be a couple files listed in datebase.

The solution is to add an ignore clause to ossec.conf on the client:

<ignore>/var/named/chroot/proc</ignore>

There may be similar issues with other software running in chroot jails.