Hello, The default as it is, I believe will not give you what changed inside the files .The diff is performed on the hash value , so there shouldn't be anything you need to change .
If you want diff on the content of the file you need to specify it extra . Cheers On Fri, Nov 25, 2011 at 9:22 AM, Macus <[email protected]> wrote: > I am using OSSEC 2.6 on Centos 5. I have a OSSEC server managing 6 > servers with OSSEC agaent. > I have added a dir to the syscheck for the file integrity check like > below. > > <directories check_all="yes">/users/home/john/app</directories> > > I saw the ossec made a copy of the files inside the dir /users/home/ > john/app in the /var/ossec/queue/diff. I think this is used for the > diff check and showing the difference for text files. If I don't need > the diff check function and don't want the ossec to tell me what have > changed in the text file, how can I disable the files copy? > Thanks >
