On Thu, Jan 17, 2013 at 9:14 AM, Eric Lederrey <[email protected]> wrote: > Le mercredi 16 janvier 2013 à 11:19 -0500, dan (ddp) a écrit : >> On Wed, Jan 16, 2013 at 11:12 AM, Eric Lederrey <[email protected]> >> wrote: >> > Dear ossec-list people, >> > >> > I tested the file-monitoring capabilities of ossec. On a windows client >> > I created a directory "C:\kyos_ossec_tests" and configured it in >> > ossec.conf like that : >> > >> > <directories check_all="yes" realtime="yes">C: >> > \kyos_ossec_tests</directories> >> > >> > And then I created, modified and deleted files and directories. >> > >> > Here are the observations I made during the tests. >> > >> > * if the directory your are monitoring is configured with >> > check_all=yes : the changes will be reported only after each scan >> > >> > * if alert_new_files is enabled on the server : the new files are >> > reported only after each scan >> > >> > * if realtime=yes is configured, only the modifications (not creation, >> > or deletion) are reported almost in real time : creation and deletion >> > are reported after each scan. >> > >> > * the deletion of a subdir is not reported by ossec. Only the files >> > deleted will be reported. >> > >> > Am I understanding correctly the behavior of ossec ? >> > >> > Best Regards, >> > -- >> > -- >> > Eric LEDERREY >> > Ingénieur sécurité et systèmes >> > >> > ---------------------------------------------------- >> > KYOS IT SECURITY >> > Audit, Conseil et Solutions en Sécurité Informatique >> > 12 bis avenue Rosemont - 1208 Genève >> > Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 >> > www.kyos.ch - [email protected] >> > ---------------------------------------------------- >> > >> >> Sounds about right. > > Ok thank you for your reply. I suggest that you put this into the > documentation, because it is useful to people that need to enforce some > kind of policy. > > Best regards >
The only thing that isn't obvious is alerting on new files in realtime. I thought I had added something about that, but I don't see it off hand. I'll make a note. > -- > -- > Eric LEDERREY > Ingénieur sécurité et systèmes > > ---------------------------------------------------- > KYOS IT SECURITY > Audit, Conseil et Solutions en Sécurité Informatique > 12 bis avenue Rosemont - 1208 Genève > Bureau : +41 22 734 78 88 - Fax: +41 22 734 79 03 > www.kyos.ch - [email protected] > ---------------------------------------------------- >
