It works for me. Not very helpful, I know. I think the file has to be in the syscheck database (it had to have been there for a full scan) before realtime will work with it.
On Sun, Apr 3, 2011 at 12:07 PM, Lalbee99 <[email protected]> wrote: > I have configured the OSSEC server (2.5.1) on a RHEL kernel: > 2.6.18-128.2.1.el5xen. I have also configured another RHEL at the same > kernel level to be a client. When I start the client everything seens > to worl except the realtime monitoring functionality. I can see in the > client logs the following startup messages pertaining to realtime. The > messages would lead you to believe everything is correct. > > 2011/04/03 11:17:54 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/home'. > 2011/04/03 11:33:06 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2011/04/03 11:34:13 ossec-syscheckd: INFO: Starting real time file > monitoring. > > When I use lsof I can see that ossec did spawn an inotify process on > the system: > udevd 433 root 7r DIR > 0,10 0 362 inotify > gam_serve 5284 root 3r DIR 0,10 > 0 362 inotify > ossec-sys 27339 root 7r DIR 0,10 > 0 362 inotify > > When add , modify or even delete a file on the client I do not get any > notification. If I run a syscheck the modifications are reported. I > further tested the inotify functionality by following this link: > http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/index.html > . I compiled the watcher program in this page and ran the executable. > When I made any kind of edit in /home the watcher program immediately > picked up on it and notfied. It seems to me that there maybe a bug in > the ossec code for the inotify functionality. This seems to be the > only thing I can't seem to get working on the Linux hosts, any help > would be appreciated. > > -Leo
