I've checked, I have the /usr/include/linux/inotify.h and I have -DUSEINOTIFY.
I do have the "Real time file monitoring started.", which I simply didn't notice. However the problem is that it looks like real time notifications are working inconsistently, i.e: if I let's say "apt-get install ...some package, I get the notification right away, also when I restart OSSEC I get email immediately, BUT when I modify /etc/hosts or some other file that is with "realtime" parameter in "directories" then I only get a notification when ossec-syscheckd runs as scheduled. Any ideas? On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote: > > Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file > checks existence of a header file. Please see if your Ubuntu system has one > of the follwoing: > > # Checking for inotify > > if [ "X$OS" = "XLinux" ]; then > > if [ -e /usr/include/sys/inotify.h ]; then > > echo "EEXTRA=-DUSEINOTIFY" >> Config.OS > > elif [ -e /usr/include/linux/inotify.h ]; then > > echo "EEXTRA=-DUSEINOTIFY" >> Config.OS > > fi > > LUA_PLAT="posix" > > fi > > > If it works, Config.OS file will contain the '-DUSEINOFITY' compilation > directive. Please check it. > > Documentation is available at: > http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring > > Good luck! > > On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote: > > Hi Guys! >> I've installed and configured OSSEC to get real time notifications, but >> when I modify for instance /etc/passwd or /etc/hosts I don't get a real >> time notification. >> Scheduled notifications are working I receive events to my email. >> >> In addition documentation tells that in ossec.log there should be a line >> "Real time file monitoring started." which I never get. >> >> Please advise >> >> <global> >> <email_notification>yes</email_notification> >> <email_to>[email protected]</email_to> >> <smtp_server>mx.yandex.net.</smtp_server> >> <email_from>ossecm@myserver</email_from> >> </global> >> <!-- 550 changed, 553 deleted, 554 added --> >> <email_alerts> >> <email_to>[email protected]</email_to> >> <rule_id>550, 553, 554</rule_id> >> <do_not_delay /> >> </email_alerts> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories realtime="yes" >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> <alert_new_files>yes</alert_new_files> >> <scan_on_start>no</scan_on_start> >> <auto_ignore>no</auto_ignore> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
