I conducted a little test to prove my findings Setup: - A working OSSEC agent with syscheck defined + realtime. - 2 files: 111,222
Test: 1. Shut down ossec agent (ossec-control stop) 2. Delete file 111 *while the agent is down* 3. start the ossec agent. (wait till all directories are 'set for real time monitoring') 4. Delete file 222 My observation is that the only alert received is for file 222 (due to the realtime trigger) File 111 deletion alert is lost forever. This does not happen on change / add new file... - I would appreciate anyone else replicating this and confirming. 10x On Wednesday, August 21, 2013 6:15:54 AM UTC-7, dan (ddpbsd) wrote: > > On Tue, Aug 20, 2013 at 5:55 PM, Roy Feintuch <[email protected]<javascript:>> > wrote: > > Hi all, > > I have seem many threads about failure to detect file deletions, and > think I > > can add some insights to the reason. > > > > Env: > > OSSEC server 2.7 ( > > Windows agents (7,2008 R2) > > Centos/RHEL Agents > > > > Scenario: > > - In the past we used realtime=true for the syscheck configuration. All > > events (new file / changes / deletions) were received correctly. > > - Now we made a little change and removed the realtime. No more file > > detection events. All the other FIM events are sent correctly. No custom > > rules in the server. > > > > > > Now, can someone please confirm that file deletion detection only works > in > > realtime mode? > > Nope. I don't think anyone can confirm this. > > > (I understand that it is probably different implementations to receive > an OS > > signal and trigger an alert (agent side) VS comparing in the server > agains > > known baseline (server side). I though both are implemented, now suspect > > only the first one. Will try to peek into the source and figure it) > > > > I don't know what this means. > > > Thanks, > > Roy > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
