Hi all, Did anyone ever tried to narrow down a realtime monitoring to a single file? Since the <directories> tag allows to specify a directory and a single file, I assume it must be possible to create a tag like this
<directories check_all="yes" report_changes="yes" realtime="yes">/var/ossec_realtime_test/single-file</directories> Unfortunately this is not working and after some other tests and a Google search I'm kind of stuck here. Also the OSSEC online manual<http://www.ossec.net/doc/manual/syscheck/index.html#real-time-monitoring>gives an idea, that this should be working. If I test the realtime monitoring only to the directory with a tag like this: <directories check_all="yes" report_changes="yes" realtime="yes">/var/ossec_realtime_test/single-file</directories> It is working just fine. Whatever file in /var/ossec_realtime_test I change, I get immediately an message. So it can't be a problem, that realtime monitoring is not working at all. For you to understand what my goal is at the end. I would like to monitor /etc with syscheck but no realtime monitoring. Just some various files under /etc I do want to have monitored by realtime to get an immediate notification if something changes. Thank you for your ideas and help. Regards, Oliver
