On Wed, Sep 19, 2012 at 9:04 AM, Eero Volotinen <[email protected]> wrote: > 2012/9/19 dan (ddp) <[email protected]>: >> On Wed, Sep 19, 2012 at 6:59 AM, Andreas Lang <[email protected]> >> wrote: >>> Hello, >>> >>> We have some questions regarding analysing log files with OSSEC referring to >>> the log file requirements in PCI-DSS 10.5.5. >>> >>> PCI DSS 10.5.5.: >>> Use file-integrity monitoring or change-detection software on logs to ensure >>> that existing log data cannot be changed without generating alerts (although >>> new data being added should not cause an alert). >>> >>> To cover this issue we wanted to enable real-time monitoring on our log file >>> directories. Unfortunately we are getting this error: >>> Ignoring flag for real time monitoring on directory: '/data/' >>> >>> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We >>> are using OSSEC 2.5 for clients and server. I know, that for real-time >>> monitoring the tool inotify-tools must be installed, but unfortunately this >>> didn’t resolve the issue. >>> Do you have any suggestions have we can make the real-time monitoring of >>> growing log files working correctly? >>> >>> Thank you very much in advantage >>> >>> Regards. >>> >>> Andreas Lang >>> >> >> Are you sure the inotify stuff was enabled in the build? It sounds >> like the support didn't get compiled in. > > does ossec support log analysis in realtime? or only directory > checksumming realtime? > > -- > Eero
Now you have me worried. It seems like you're mixing up a few things. Log analysis is as realtime as it can really get. ossec-logcollector basically tails the log file and forwards the log messages on as it gets them. But this is very different than the realtime syscheck alerting.
