On Wed, Nov 27, 2013 at 1:35 PM, dan (ddp) <[email protected]> wrote: > On Wed, Nov 27, 2013 at 2:03 AM, C. L. Martinez <[email protected]> wrote: >> Ok, only works if I put the following entry under syscheck section: >> >> <directories report_changes="yes" realtime="yes" >> check_all="yes">/etc,/var/ossec/etc/shared</directories> >> > > Where else would you put it?
Only in the agent.conf .. > >> but for freebsd agents it doesn't works because freebsd doesn't >> supports inotify ... >> > > Is /var/ossec/etc/shared defined in the FreeBSD config at all? Yes. Does agent.conf show up in the syscheck db for that agent (`grep agent.conf /var/ossec/queue/syscheck/agent_syscheck_db`)? agent_syscheck_db doesn't exists in my agents ... root@agent02:~ # ls -la /var/ossec/queue/syscheck/agent_syscheck_db ls: /var/ossec/queue/syscheck/agent_syscheck_db: No such file or directory root@agent02:~ # ls -la /var/ossec/queue/syscheck/ total 4 dr-xr-x--- 2 root ossec 512 Nov 22 08:39 . dr-xr-x--- 7 root ossec 512 Nov 22 08:39 .. > > Are any syscheck rules firing for your freebsd systems? > Yes, for example for any file modified under /etc directory ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
