Le mercredi 16 janvier 2013 à 11:19 -0500, dan (ddp) a écrit : > On Wed, Jan 16, 2013 at 11:12 AM, Eric Lederrey <[email protected]> wrote: > > Dear ossec-list people, > > > > I tested the file-monitoring capabilities of ossec. On a windows client > > I created a directory "C:\kyos_ossec_tests" and configured it in > > ossec.conf like that : > > > > <directories check_all="yes" realtime="yes">C: > > \kyos_ossec_tests</directories> > > > > And then I created, modified and deleted files and directories. > > > > Here are the observations I made during the tests. > > > > * if the directory your are monitoring is configured with > > check_all=yes : the changes will be reported only after each scan > > > > * if alert_new_files is enabled on the server : the new files are > > reported only after each scan > > > > * if realtime=yes is configured, only the modifications (not creation, > > or deletion) are reported almost in real time : creation and deletion > > are reported after each scan. > > > > * the deletion of a subdir is not reported by ossec. Only the files > > deleted will be reported. > > > > Am I understanding correctly the behavior of ossec ? > > > > Best Regards, > > -- > > -- > > Eric LEDERREY > > Ingénieur sécurité et systèmes > > > > ---------------------------------------------------- > > KYOS IT SECURITY > > Audit, Conseil et Solutions en Sécurité Informatique > > 12 bis avenue Rosemont - 1208 Genève > > Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 > > www.kyos.ch - [email protected] > > ---------------------------------------------------- > > > > Sounds about right.
Ok thank you for your reply. I suggest that you put this into the documentation, because it is useful to people that need to enforce some kind of policy. Best regards -- -- Eric LEDERREY Ingénieur sécurité et systèmes ---------------------------------------------------- KYOS IT SECURITY Audit, Conseil et Solutions en Sécurité Informatique 12 bis avenue Rosemont - 1208 Genève Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 www.kyos.ch - [email protected] ----------------------------------------------------
