Thank you for the reply. I have been testing this and am finding that only files in the listed directory are seen right away. Files in subfolders do not appear to be affected. For realtime to work, do you need to list each directory separately? I also have the check_all="yes".
In my config, I have <directory check_all="yes" realtime="yes">/test</directory> The file /test/file1.txt is properly detected when it is changed The file /test/subfolder/file2.txt is not. It appears as though the realtime directive isn't recursive. Is this correct or am I doing something wrong? This is a fresh install on OSSEC 2.1.1 on CentOS 5.3 32bit. Thank you. Kirk Frankovich Systems Administrator 847.427.5223 - Direct 847.489.4717 - Cell [email protected] Fort Dearborn Company 1530 Morse Ave Elk Grove Village, IL 60007 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of ddp Sent: Monday, July 06, 2009 10:03 AM To: [email protected] Subject: [ossec-list] Re: OSSEC v2.1 released In ossec.conf modify the syscheck directory entries to add realtime capabilities. Add realtime="yes" to the entries you want to be monitored in realtime, like so: <directory check_all="yes" realtime="yes">/bin,/etc</directory> On Mon, Jul 6, 2009 at 10:47 AM, Kirk Frankovich<[email protected]> wrote: > > Is there a document on using the real-time integrity checking? I cannot > find how to enable it. > > Thank you very much. > > Kirk Frankovich > Systems Administrator > > 847.427.5223 - Direct > 847.489.4717 - Cell > [email protected] > > Fort Dearborn Company > 1530 Morse Ave > Elk Grove Village, IL 60007 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Daniel Cid > Sent: Tuesday, June 30, 2009 7:38 AM > To: [email protected]; [email protected] > Subject: [ossec-list] OSSEC v2.1 released > > > Hi list, > > We are happy to announce that OSSEC version 2.1 is available now. > > This new version is the first one with support for centralized > configurations and realtime integrity monitoring on Linux. > It also includes many other features and bug fixes: > > * Centralized configuration - The agent.conf file was introduced > to allow granular configuration of the agents directly on the manager > side. > * Remote agent restart - Functionality was added to restart the > agents remotely using the agent_control tool. > * Real time integrity checking - Real time integrity checking was > added to Linux systems. > * New Log Rules Support - We added support for Windows DHCP logs > and fixed/improved many of the other rules for different messages. > > Source: > http://www.ossec.net/main/ossec-v21-released > > Download from here: > http://www.ossec.net/main/downloads > > > Full changelog (If I forgot somone, please let me know and I will > update it asap): > http://www.ossec.net/announcements/v2.1-2009-06-30.txt > > -Added additional rules to detect the enumeration of extensions > (Patch by Chris Bailes <chris at paeenterprises.co.uk>). > > -Added support for glob (regular expressions) when specifying the > directories > to check on syscheck. > > -Added support for syslog-ng ISODATE (conforming to ISO-8601) date > formats > in the syslog header. > > -Added support for rsyslog non-standard date format (RFC 5425). > > -Added the log testing tool to the default build (now available at > /var/ossec/bin/ossec-logtest ). > > -Added agentless script for Foundry switches > (Thanks to Matt <mgoldsberry at gmail.com> for the help). > > -Added support for real time integrity checking. > > -Added support for sending OSSEC alerts to twitter via active response. > > -Added support for Windows DHCP logs > (Thanks to [email protected] for the help). > > -Adding changes to support ASA/FWSM on the agentless monitoring > (Thanks to Michael Starks for the patch) > > -Added option to restart an ossec agent remotely. > > -Added agent config on the manager side. > > -Added the ability to fully build an Windows ossec agent directly from > the (Linux) server. > > -Fixed rootcheck to do not monitor read-only file systems during the > rc_sys_check > (Reported by Dennis Golden). > > -Fixed Windows policy that was looking for the wrong value to check if > the firewall > was enabled or not > (Reported by Aaron Bliss). > > -Fixed debian rules that were matching on Juniper messages > (Reported by Reggie Griffin). > > -Fixed yum rules that we matching on another events. > > -Fixed syscheck_control that was segfaulting on 64 bit systems. > > -Fixed mcafee rule that was triggering deleted viruses as uncontained > (Thanks to Michael Starks for the patch). > > -Fixed sshd rule to support new log format > (Thanks to j.bromley at bristol.ac.uk for the report). > > -Fixed ssh_integrity_check_linux agentless script that had some extra > spaces > causing it to hang > (Thanks to Mark Ibrahim for the report). > > -Fixed support for systems without proper syslog hostname (solaris 8/9 > most of the time). > > -Added System32 Restore directory to the list of ignore files for > integrity checking > (it was causing too many false positives). > > -Fixed iptables active-response scripts that was not properly deleted > all the entries. > > -Added agentless devices to the listing tools (agent_control -l, > syscheck_control, -l ,etc). > > -Fixed bug when reading /dev/fd on FreeBSD that was causing ossec to > loop. > (Patch by Danny Fullerton - dfullerton at mantor.org ) > > -Fixed file descriptor leak on execd. > (Patch by Slava Semushin - php-coder at altlinux.org ) > > -Fixed bug where descriptions with new lines would break the alert file. > (Reported by Bill Mathews <billford at gmail.com>) > > -Fixed init scripts for Darwin. > (patch by Peter <peter.wolanin at acquia.com>) > > -Added support for strftime on globbed files. > > -Added the option to decrease syscheck sleep time to 0 (and run as > fast as possible). > (thanks to Michael Altfield <michael.sa at gmail.com> for the > suggestion) > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > -- > This message was scanned by ESVA and is believed to be clean. > > > -- > Confidentiality Notice: This e-mail, including attachments, may include > confidential and/or proprietary information, and may be used only by the > person or entity to which it is addressed. If the reader of this e-mail is > not the intended recipient or his or her authorized agent, the reader is > hereby notified that any dissemination, distribution, copying or taking any > action in reliance upon this information is prohibited. If you have received > this e-mail in error, please notify the sender by replying to this message > and delete this e-mail immediately. > This message was scanned by ESVA and is believed to be clean. > > > -- This message was scanned by ESVA and is believed to be clean. -- Confidentiality Notice: This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, copying or taking any action in reliance upon this information is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This message was scanned by ESVA and is believed to be clean.
