I have configured the OSSEC server (2.5.1) on a RHEL kernel: 2.6.18-128.2.1.el5xen. I have also configured another RHEL at the same kernel level to be a client. When I start the client everything seens to worl except the realtime monitoring functionality. I can see in the client logs the following startup messages pertaining to realtime. The messages would lead you to believe everything is correct.
2011/04/03 11:17:54 ossec-syscheckd: INFO: Directory set for real time monitoring: '/home'. 2011/04/03 11:33:06 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). 2011/04/03 11:34:13 ossec-syscheckd: INFO: Starting real time file monitoring. When I use lsof I can see that ossec did spawn an inotify process on the system: udevd 433 root 7r DIR 0,10 0 362 inotify gam_serve 5284 root 3r DIR 0,10 0 362 inotify ossec-sys 27339 root 7r DIR 0,10 0 362 inotify When add , modify or even delete a file on the client I do not get any notification. If I run a syscheck the modifications are reported. I further tested the inotify functionality by following this link: http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/index.html . I compiled the watcher program in this page and ran the executable. When I made any kind of edit in /home the watcher program immediately picked up on it and notfied. It seems to me that there maybe a bug in the ossec code for the inotify functionality. This seems to be the only thing I can't seem to get working on the Linux hosts, any help would be appreciated. -Leo
