Check the ossec.log file on that agent to see if there are any messages about why these files aren't being copied. Take a look at permissions in the source and target directories. Make sure something like SELinux isn't blocking the copy.
On Fri, Sep 2, 2011 at 10:04 AM, Richard Knight <[email protected]> wrote: > Nope not using a symlink for that directory its a direct path to the > httpd conf dir it it does enable realtime monitoring on that directory > and will report hash changes via email it just wont cache it into the > diff dir and list changes within the file that changed. > > On Sep 1, 5:06 pm, Daniel Cid <[email protected]> wrote: >> Can you check if this directory is a link? I remember it was failing >> due to symlinks before (use the original >> directory).. >> >> Thanks, >> >> >> >> >> >> >> >> On Thu, Sep 1, 2011 at 9:55 AM, Richard Knight <[email protected]> wrote: >> > I am trying to expand my live file monitoring to my apache server and >> > the related www content, and while it will cache the files in /usr/ >> > local/www into /var/ossec/queue/diff it will not cache the httpd/conf >> > dir, what makes this odd is that it correctly enabled realtime >> > monitoring of the directory and reports hash changes but will not >> > cache text config files. >> >> > <directories realtime="yes" report_changes="yes" check_all="yes">/usr/ >> > local/httpd/conf,/usr/local/www</directories> >> >> > Does anyone know if there is any sort of pre-check or requirement >> > before ossec will cache the contents of a file?
