Dear ossec-list people, I tested the file-monitoring capabilities of ossec. On a windows client I created a directory "C:\kyos_ossec_tests" and configured it in ossec.conf like that :
<directories check_all="yes" realtime="yes">C: \kyos_ossec_tests</directories> And then I created, modified and deleted files and directories. Here are the observations I made during the tests. * if the directory your are monitoring is configured with check_all=yes : the changes will be reported only after each scan * if alert_new_files is enabled on the server : the new files are reported only after each scan * if realtime=yes is configured, only the modifications (not creation, or deletion) are reported almost in real time : creation and deletion are reported after each scan. * the deletion of a subdir is not reported by ossec. Only the files deleted will be reported. Am I understanding correctly the behavior of ossec ? Best Regards, -- -- Eric LEDERREY Ingénieur sécurité et systèmes ---------------------------------------------------- KYOS IT SECURITY Audit, Conseil et Solutions en Sécurité Informatique 12 bis avenue Rosemont - 1208 Genève Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 www.kyos.ch - [email protected] ----------------------------------------------------
