I am using OSSEC 2.6 on Centos 5. I have a OSSEC server managing 6 servers with OSSEC agaent. I have added a dir to the syscheck for the file integrity check like below.
<directories check_all="yes">/users/home/john/app</directories> I saw the ossec made a copy of the files inside the dir /users/home/ john/app in the /var/ossec/queue/diff. I think this is used for the diff check and showing the difference for text files. If I don't need the diff check function and don't want the ossec to tell me what have changed in the text file, how can I disable the files copy? Thanks
