On Wed, Jan 16, 2013 at 11:12 AM, Eric Lederrey <[email protected]> wrote: > Dear ossec-list people, > > I tested the file-monitoring capabilities of ossec. On a windows client > I created a directory "C:\kyos_ossec_tests" and configured it in > ossec.conf like that : > > <directories check_all="yes" realtime="yes">C: > \kyos_ossec_tests</directories> > > And then I created, modified and deleted files and directories. > > Here are the observations I made during the tests. > > * if the directory your are monitoring is configured with > check_all=yes : the changes will be reported only after each scan > > * if alert_new_files is enabled on the server : the new files are > reported only after each scan > > * if realtime=yes is configured, only the modifications (not creation, > or deletion) are reported almost in real time : creation and deletion > are reported after each scan. > > * the deletion of a subdir is not reported by ossec. Only the files > deleted will be reported. > > Am I understanding correctly the behavior of ossec ? > > Best Regards, > -- > -- > Eric LEDERREY > Ingénieur sécurité et systèmes > > ---------------------------------------------------- > KYOS IT SECURITY > Audit, Conseil et Solutions en Sécurité Informatique > 12 bis avenue Rosemont - 1208 Genève > Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 > www.kyos.ch - [email protected] > ---------------------------------------------------- >
Sounds about right.
