Hi Dan, Thank you for your reply. Just short after I posted this, I saw the little note in the documentation. Good you'll fix that. anyway, I have deleted the post since it was not necessary. Sorry for that.
On Wed, Jun 27, 2012 at 2:35 PM, dan (ddp) <[email protected]> wrote: > On Wed, Jun 27, 2012 at 4:30 AM, Oliver wrote: > > Hi all, > > > > Did anyone ever tried to narrow down a realtime monitoring to a single > file? > > Since the <directories> tag allows to specify a directory and a single > file, > > I assume it must be possible to create a tag like this > > > > <directories check_all="yes" report_changes="yes" > > realtime="yes">/var/ossec_realtime_test/single-file</directories> > > > > Unfortunately this is not working and after some other tests and a Google > > search I'm kind of stuck here. Also the OSSEC online manual gives an > idea, > > that this should be working. > > > > > I see where this confusion is coming from in the documentation, and > I'll fix it. Do take note of the "note" at the bottom of that section. > The realtime support is for directories only. > > > If I test the realtime monitoring only to the directory with a tag like > > this: > > > > <directories check_all="yes" report_changes="yes" > > realtime="yes">/var/ossec_realtime_test/single-file</directories> > > > > It is working just fine. Whatever file in /var/ossec_realtime_test I > change, > > I get immediately an message. So it can't be a problem, that realtime > > monitoring is not working at all. > > > > For you to understand what my goal is at the end. I would like to monitor > > /etc with syscheck but no realtime monitoring. Just some various files > under > > /etc I do want to have monitored by realtime to get an immediate > > notification if something changes. > > > > You shouldn't duplicate directories entries. Having a file monitored > in multiple directories options will cause issues. > > > Thank you for your ideas and help. > > > > Regards, > > Oliver >
