Hi Daniel, Hi List Thanks a lot for your fast answer! Please don't get me wrong, Ossec ist really fantastic software. Every open source developer has my greatest respect. I just want to discuss some points which are not clear to me. You know, the best ideas often come out from discussions :-)
In my opinion, the last modified time (ls -l) of a file is a (more or less) reliable source. This is what I want to see: When did the file change. The last access time (ls -lu) is not important, because it is changed by every backup, auditing, ... tool. What's the opinion of the community? For me it would be great to have the real mtime of the files in ossec. Example: We have a software update at 18:00. Ossec runs at 20:00, once a day. I have to create a local rule for avoiding getting all the syscheck messages from the update. The time in this local rule has to be 20:00 - ~21:00. This means, I loose ALL information for the whole day, which files are changed. If I could use the real mtime, I could create a local rule for 18:00 - ~18:30, losing only the syscheck information for this period. And another point: I set <scan-time> to 02:00 last evening, uncommented <frequency>, restarted ossec... The scan was from 18:50 to 20:50 (slow machine, a lot of files...), not at 2:00. I don't get it. Thanks a lot and sorry about my bad english... Regards, Matthias
