Hi Gagan, To run on real time, you need to set realtime="yes" in your configuration: http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
As for knowing who made the change, you need to leverage system level auditing logs to get this information. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 22, 2010 at 1:50 AM, Gags <[email protected]> wrote: > Dear Mailing list > > There is query regarding the integrity monitoring of Ossec. This tool > gives flawless information regarding the changes in the file > > 1) Is there any option to know who have changed the file ? (Apart from > information regularly received) > 2) Can we view the file change at or almost realtime ? > > May be if we monitoring only a few files. We have tried the same by > monitoring only some critical files and running the syscheck demon > after every 5 minutes but in this due course there was issues > regarding regular logging like alerts are not triggered unless you > restart the agent and even then it gets stalled with no errors in log > on both sides. > > Is there some better way to implement the same. > > Thanks & Regards > Gagan > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
