The way I understand it: ossec-syscheckd subscribes to a file via inotify (on linux) or whatever Windows uses. The file is modified. The kernel notifies ossec-syscheckd that the file has changed. ossec-syscheckd gathers information about the file and sends it to the next step (manager if this is an agent)
On Wed, Jul 20, 2011 at 1:02 AM, hugo <[email protected]> wrote: > Hi, > > I would like to learn more about how OSSEC implement the real time > monitoring. > > Like many FIM, for the period checking, OSSEC will first build a > signature database on certain directories and files and then retrieve > the information of them periodically and compare to the initial > signature. So in essence, period checking is a lot of IO operations. > > But I don't quite follow how the real time monitoring is implemented. > Does OSSEC store the information of initial file system signature into > memory and then OSSEC intercept each OS operations made on the file > system device driver to trigger to comparison? If the answer is yes, > then does real time monitoring will cost lot of system resources? > > Best, > > Hugo
