dnotify support is available for 2.6.9-78.0.8.ELsmp kernel but not inotify. Can dnotify be used with OSSEC to do real time alerting for new files?
On Tue, Mar 9, 2010 at 9:19 PM, dan (ddp) <[email protected]> wrote: > Chances are the 2.4 kernel systems do not have the realtime option > available. inotify was added in 2.6 (maybe 2.6.23 or something). > I think you'll have to set these options on the server, but I'm not > positive. > > On Tue, Mar 9, 2010 at 7:07 PM, Devendra Agrawal > <[email protected]> wrote: > > That was my mistake when posting the issue. I commented out when it was > not > > working. Do I need to set those parameters on the agent host or the > manager > > host ? Do I need to restart both manager and agent? My manager is Red Hat > > kernel 2.4 but agent is 2.6. > > > > Thanks > > > > > > > > On Tue, Mar 9, 2010 at 2:53 PM, dan (ddp) <[email protected]> wrote: > >> > >> The "<!--" and "-->" designate anything in between them as commented > >> out. Remove them > >> and things may work a bit more like you'd expect. > >> > >> On Tue, Mar 9, 2010 at 2:26 PM, Devendra Agrawal > >> <[email protected]> wrote: > >> > Hi, > >> > > >> > I want to know the syntax for auto_ignore and alert_new_files option. > I > >> > tried the following and restarted the agent services but it doesn't > >> > alert as > >> > expected. I also have realtime check enabled. > >> > > >> > <syscheck> > >> > <!-- Frequency that syscheck is executed - default to every 22 > hours > >> > --> > >> > <frequency>79200</frequency> > >> > <!-- auto_ignore>no</auto_ignore--> > >> > <!-- alert_new_files>yes</alert_new_files --> > >> > <!-- Directories to check (perform all possible verifications) > --> > >> > <directories realtime="yes" > >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> > <directories realtime="yes" > check_all="yes">/bin,/sbin</directories> > >> > > >> > <!-- Files/directories to ignore --> > >> > <ignore>/etc/mtab</ignore> > >> > <ignore>/etc/mnttab</ignore> > >> > <ignore>/etc/hosts.deny</ignore> > >> > <ignore>/etc/mail/statistics</ignore> > >> > <ignore>/etc/random-seed</ignore> > >> > <ignore>/etc/adjtime</ignore> > >> > <ignore>/etc/httpd/logs</ignore> > >> > <ignore>/etc/utmpx</ignore> > >> > <ignore>/etc/wtmpx</ignore> > >> > <ignore>/etc/cups/certs</ignore> > >> > <ignore>/etc/dumpdates</ignore> > >> > <ignore>/etc/svc/volatile</ignore> > >> > </syscheck> > > > > >
