Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for
real time. But it seems it only works for system integrity check
periodically, but not real-time, I checked the /var/ossec/queue/diff
folder, it recorded all the changes under that folder, but since .ssh is a
hidden
Recently, we are trying to use OSSEC to monitor files ~/.ssh/authorized_key
for real time, but it seems it can only detect for syscheck, but not real
time. I checked the /var/ossec/queue/diff folder, it recorded all the
changes, but because the .ssh folder is hidden. I can not get real-time
Yes, I noticed the difference, add new file entry will not be real-time.
But what if I restart the agent and manager, will it rescan and then
generate that event right after I restart everything.
And also, my issue is I waited for the interval, however, I still would not
be able to get a log
I followed the instructions to how to set up alert for add new file as
follows:
ossec
syscheck_new_entry
File added to the system.
syscheck,
and
7200
yes
/etc,/bin,/sbin
But it never works. I can not get alerts even I restart the agent and manager.
Could any one help me