Is the alert on new files option set on the server? You can set it with: <alert_new_files>yes</alert_new_files> in the syscheck section.
How did you check to see that the change is not picked up? Did the file get an entry in the syscheck db (check with /var/ossec/bin/syscheck_control -i <AGENT_ID> | grep FILENAME)? If so, modify the file and see if an alert is created, and hot long it takes to receive the alert. Dan On Fri, Oct 9, 2009 at 6:57 AM, [email protected] <[email protected]> wrote: > > Hello there, I'm testing the realtime monitoring on a windows box, but > can't get it to work, I added realtime=”yes” to the client's agent > config, but when I create files inside the monitored directory, the > change is not picked up. > I have tried restarting ossec on the server, restarting the client and > also running syscheck_control. > FYI, syscheckd never mentions "real time" in the log. > > The server is CentOS 5.3 runing OSSEC 2.2. > The client is WindowsXP running the agent snapshot you linked to. > > Thank you. >
