On Mon, Nov 17, 2014 at 3:16 AM, Ky0 <[email protected]> wrote: > Hi all! > > just want to monitor changes to the som file, but i don't find any document > and solution. > > > My config > > > /var/ossec/etc/ossec.conf > > ---snip---- > > <syscheck> > > <directories check_all="yes" > realtime="yes">/u03/myfile.txt</directories> > > <directories check_all="yes" realtime="yes">/etc/passwd, > /etc/shadow</directories> > > ---snip---- > > > test: > > $echo "abc:x:1001:1001:/home/abc:/bin/bash">>/etc/passwd > > $echo "test my file" >> /u03/myfile.txt > > But ossec don't log or alert anything. > > Please help me! >
I'm not sure realtime works for specific files, I thought it only worked on directories. Were the files you tried modifying already in the syscheck database? > > I try to search on google but don't have solution. > > eg: https://groups.google.com/forum/#!topic/ossec-list/fx8ErPocw68 > > > Thanks and Best Regards > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
