Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file
checks existence of a header file. Please see if your Ubuntu system has one
of the follwoing:
# Checking for inotify
if [ "X$OS" = "XLinux" ]; then
if [ -e /usr/include/sys/inotify.h ]; then
echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
elif [ -e /usr/include/linux/inotify.h ]; then
echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
fi
LUA_PLAT="posix"
fi
If it works, Config.OS file will contain the '-DUSEINOFITY' compilation
directive. Please check it.
Documentation is available
at:
http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
Good luck!
On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
Hi Guys!
> I've installed and configured OSSEC to get real time notifications, but
> when I modify for instance /etc/passwd or /etc/hosts I don't get a real
> time notification.
> Scheduled notifications are working I receive events to my email.
>
> In addition documentation tells that in ossec.log there should be a line
> "Real time file monitoring started." which I never get.
>
> Please advise
>
> <global>
> <email_notification>yes</email_notification>
> <email_to>[email protected] <javascript:></email_to>
> <smtp_server>mx.yandex.net.</smtp_server>
> <email_from>ossecm@myserver</email_from>
> </global>
> <!-- 550 changed, 553 deleted, 554 added -->
> <email_alerts>
> <email_to>[email protected] <javascript:></email_to>
> <rule_id>550, 553, 554</rule_id>
> <do_not_delay />
> </email_alerts>
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories realtime="yes"
> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>
> <alert_new_files>yes</alert_new_files>
> <scan_on_start>no</scan_on_start>
> <auto_ignore>no</auto_ignore>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
