Marco C. wrote: > Hi, > > I am checking the realtime feature of OSSEC and I have noticed that > the system doesn't report in realtime when a file is added (I have > configured alert_new_files and modified the rule file). The > notification is generated only when syscheck runs its periodic scan, > configurable via the interval option. > Syscheck is notified by the OS using the inotify interface but it > looks like the function to generate the alert has not been implemented > yet. Could you confirm me that this behavior is expected? Do you have > any plan to implement this in future? > > Thank You, > > --Marco >
I have this problem as well, and I think it's a bug or oversight. I see src/syscheckd/run_realtime.c sets up the inotify system with the following flags: #define REALTIME_MONITOR_FLAGS IN_MODIFY|IN_ATTRIB|IN_MOVED_TO|IN_DELETE|IN_MOVED_FROM But no mention of IN_CREATE, which I think should be added if <alert_new_files> is in effect. -Alan
