Good morning, You seem to have posted this question twice, so I will just answer this one. I have this running on all my systems and it easily works without an issue. You have to make sure the right packages are installed for Realtime. Hidden files do not bother OSSEC - a hidden file is simply a file named with a leading "." dot, but that does not alter the fact that it has an inode and a directory entry. Make sure you have the "inotify" package installed. Also, you might want to post your config file. One other issue is that if the file did not exist prior to starting OSSEC and you do not have alerting on new files setup, then you may not see the alerts either.
I use this feature for monitoring in realtime if users put SSH private keys on a public server, rather than their laptop. I have AR setup to remove any private keys immediately upon alert generation. Cheers Kat On Monday, March 20, 2017 at 10:47:15 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor files > ~/.ssh/authorized_key for real time, but it seems it can only detect for > syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it > recorded all the changes, but because the .ssh folder is hidden. I can not > get real-time alerts from OSSEC manager, is there anyone know how to fix > this, or does OSSEC ever consider this function before? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.