Syscheck ignores files that have changed more that 3 times. If you want syscheck to constantly monitor a file even if its changed more than 3 times, set <auto_ignore> to false.
On Wed, Jul 20, 2011 at 12:51 AM, Marcelo de Miranda Barbosa < [email protected]> wrote: > Hello dcid, > > I think that I found a bug. > > I am using OSSEC 2.6 in two linux servers, a server and a agent... with > Debian squeeze. > > My question or possible bug is with inotify and syscheck. When I change > more that tree times a file that are monitored with realtime (inotify) the > fourth time does not work before. > > Example: > > I changes file /root/tst.txt tree times and I see the changes with > syscheck_control -i ID. A fourth time don't see more. > > Thank You. > > Marcelo > > >
