Hey Mike Yup, we're aware of it. The issue we have had with it is it's just too noisy.. and its disabled by default.. it also has issues handling subdirectories... :(
We're still playing though. How are you configuring it on your end to reduce the noise and handle subdirectories? Tony On Friday, July 26, 2013 10:26:14 PM UTC-7, Michael Starks wrote: > > On 26.07.2013 22:13, perezbox wrote: > > I saw a discussion on this earlier in the week and meant to respond, > > but got caught side tracked. > > > > Regardless, this was something I too struggled grasping, it took a > > conversation with Dani to help better understand. To better > > articulate, and save you all a long email, I put it on my blog: > > > > > http://tonyonsecurity.com/2013/07/27/ossec-detecting-new-files-understanding-how-it-works/ > > > Hey Tony, thanks for the write-up. Nice to see you on the list. You > guys are doing some good work over at Sucuri. > > I wonder if Daniel C realizes that we added IN_CREATE to the source > since he implemented real-time, which wasn't there before. This should > alert on a new file in a monitored directory in real-time, unless we got > it wrong (which is entirely possible). Of course, it will take a while > before the real-time monitoring starts before it can happen. Sounds like > this needs to be tested. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
