Hi all, I have seem many threads about failure to detect file deletions, and think I can add some insights to the reason.
Env: OSSEC server 2.7 ( Windows agents (7,2008 R2) Centos/RHEL Agents Scenario: - In the past we used realtime=true for the syscheck configuration. All events (new file / changes / deletions) were received correctly. - Now we made a little change and removed the realtime. No more file detection events. All the other FIM events are sent correctly. No custom rules in the server. Now, can someone please confirm that file deletion detection only works in realtime mode? (I understand that it is probably different implementations to receive an OS signal and trigger an alert (agent side) VS comparing in the server agains known baseline (server side). I though both are implemented, now suspect only the first one. Will try to peek into the source and figure it) Thanks, Roy -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
