On Tue, Aug 20, 2013 at 5:55 PM, Roy Feintuch <[email protected]> wrote: > Hi all, > I have seem many threads about failure to detect file deletions, and think I > can add some insights to the reason. > > Env: > OSSEC server 2.7 ( > Windows agents (7,2008 R2) > Centos/RHEL Agents > > Scenario: > - In the past we used realtime=true for the syscheck configuration. All > events (new file / changes / deletions) were received correctly. > - Now we made a little change and removed the realtime. No more file > detection events. All the other FIM events are sent correctly. No custom > rules in the server. > > > Now, can someone please confirm that file deletion detection only works in > realtime mode?
Nope. I don't think anyone can confirm this. > (I understand that it is probably different implementations to receive an OS > signal and trigger an alert (agent side) VS comparing in the server agains > known baseline (server side). I though both are implemented, now suspect > only the first one. Will try to peek into the source and figure it) > I don't know what this means. > Thanks, > Roy > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
