[ossec-list] Real time monitoring hidden files or hidden folder
Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for real time. But it seems it only works for system integrity check periodically, but not real-time, I checked the /var/ossec/queue/diff folder, it recorded all the changes under that folder, but since .ssh is a hidden folder, I can not get alerts from ossec manager for real-time file change alert. Is there anyone knowing how to fix this? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC real-time monitoring with hidden files
Recently, we are trying to use OSSEC to monitor files ~/.ssh/authorized_key for real time, but it seems it can only detect for syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it recorded all the changes, but because the .ssh folder is hidden. I can not get real-time alerts from OSSEC manager, is there anyone know how to fix this, or does OSSEC ever consider this function before? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: new files does not creating alert at all
Yes, I noticed the difference, add new file entry will not be real-time. But what if I restart the agent and manager, will it rescan and then generate that event right after I restart everything. And also, my issue is I waited for the interval, however, I still would not be able to get a log event even I create some new files and directories. My last question is within that rule, the decoder name is syscheck_new_entry, where the decoder file is, I can not find this decoder in the decoders folder. Thank you. On Friday, April 1, 2016 at 6:49:42 AM UTC-4, Jesus Linares wrote: > > Check out this blog: > http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/ > > Pay attention to the part: "REAL TIME VS ALERT ON NEW". > > Regards, > Jesus Linares. > > On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, jingxu...@bettercloud.com > wrote: >> >> I followed the instructions to how to set up alert for add new file as >> follows: >> >> >> ossec >> syscheck_new_entry >> File added to the system. >> syscheck, >> >> >> and >> >> >> 7200 >> yes >> /etc,/bin,/sbin >> >> >> But it never works. I can not get alerts even I restart the agent and >> manager. Could any one help me with this, thanks >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] new files does not creating alert at all
I followed the instructions to how to set up alert for add new file as follows: ossec syscheck_new_entry File added to the system. syscheck, and 7200 yes /etc,/bin,/sbin But it never works. I can not get alerts even I restart the agent and manager. Could any one help me with this, thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.