Are you using scan_on_start option? Remember realtime won't work until
first syscheck is done.

I also recommend to use alert_new_files and set auto_ignore to "no" (this
goes on the manager).

Useful trobleshooting tip is to enable debug for syscheck on the agent
(internal_options.conf file)

Best

On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia <[email protected]> wrote:

> I've checked, I have the /usr/include/linux/inotify.h and I have
> -DUSEINOTIFY.
>
> I do have the "Real time file monitoring started.", which I simply didn't
> notice.
>
> However the problem is that it looks like real time notifications are
> working inconsistently, i.e: if I let's say "apt-get install ...some
> package, I get the notification right away, also when I restart OSSEC I get
> email immediately, BUT when I modify /etc/hosts or some other file that is
> with "realtime" parameter in "directories" then I only get a notification
> when ossec-syscheckd runs as scheduled.
>
> Any ideas?
>
>
>
>
> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
>>
>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file
>> checks existence of a header file. Please see if your Ubuntu system has one
>> of the follwoing:
>>
>>     # Checking for inotify
>>
>>     if [ "X$OS" = "XLinux" ]; then
>>
>>         if [ -e /usr/include/sys/inotify.h ]; then
>>
>>             echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>>         elif [ -e /usr/include/linux/inotify.h ]; then
>>
>>             echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>
>>         fi
>>
>>         LUA_PLAT="posix"
>>
>>     fi
>>
>>
>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation
>> directive. Please check it.
>>
>> Documentation is available at:
>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
>>
>> Good luck!
>>
>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
>>
>> Hi Guys!
>>> I've installed and configured OSSEC to get real time notifications, but
>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real
>>> time notification.
>>> Scheduled notifications are working I receive events to my email.
>>>
>>> In addition documentation tells that in ossec.log there should be a line
>>> "Real time file monitoring started." which I never get.
>>>
>>> Please advise
>>>
>>>  <global>
>>>     <email_notification>yes</email_notification>
>>>     <email_to>[email protected]</email_to>
>>>     <smtp_server>mx.yandex.net.</smtp_server>
>>>     <email_from>ossecm@myserver</email_from>
>>>   </global>
>>>   <!-- 550 changed, 553 deleted, 554 added -->
>>>   <email_alerts>
>>>     <email_to>[email protected]</email_to>
>>>     <rule_id>550, 553, 554</rule_id>
>>>     <do_not_delay />
>>>   </email_alerts>
>>>
>>>   <!-- Directories to check  (perform all possible verifications) -->
>>>         <directories realtime="yes"
>>> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>>>
>>>         <alert_new_files>yes</alert_new_files>
>>>         <scan_on_start>no</scan_on_start>
>>>         <auto_ignore>no</auto_ignore>
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to