I have a question regarding syscheck. A change occurs on a file, ossec syscheck detects and sends an alert. That part works great. However if the original file is placed back. At that point ossec does not detect that the original file is placed back. If you initiate a restart on the ossec client a new database scan occurs and that is when the file detection occurred that the file was changed back to "normal". Also several syscheck scans, freq is every 15min, occurred between the good change and restart. Is this normal behavior, bug, bad configs etc ? Any help would be appreciated.
File entered in DB -> Change File Occurs -> Notification Sent -> Changed file back to original DB entry -> No Notification -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
