On Wed, Jun 27, 2012 at 4:30 AM, Oliver <[email protected]> wrote: > Hi all, > > Did anyone ever tried to narrow down a realtime monitoring to a single file? > Since the <directories> tag allows to specify a directory and a single file, > I assume it must be possible to create a tag like this > > <directories check_all="yes" report_changes="yes" > realtime="yes">/var/ossec_realtime_test/single-file</directories> > > Unfortunately this is not working and after some other tests and a Google > search I'm kind of stuck here. Also the OSSEC online manual gives an idea, > that this should be working. >
I see where this confusion is coming from in the documentation, and I'll fix it. Do take note of the "note" at the bottom of that section. The realtime support is for directories only. > If I test the realtime monitoring only to the directory with a tag like > this: > > <directories check_all="yes" report_changes="yes" > realtime="yes">/var/ossec_realtime_test/single-file</directories> > > It is working just fine. Whatever file in /var/ossec_realtime_test I change, > I get immediately an message. So it can't be a problem, that realtime > monitoring is not working at all. > > For you to understand what my goal is at the end. I would like to monitor > /etc with syscheck but no realtime monitoring. Just some various files under > /etc I do want to have monitored by realtime to get an immediate > notification if something changes. > You shouldn't duplicate directories entries. Having a file monitored in multiple directories options will cause issues. > Thank you for your ideas and help. > > Regards, > Oliver
