Are you using scan_on_start option? Remember realtime won't work until first syscheck is done.
I also recommend to use alert_new_files and set auto_ignore to "no" (this goes on the manager). Useful trobleshooting tip is to enable debug for syscheck on the agent (internal_options.conf file) Best On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia <[email protected]> wrote: > I've checked, I have the /usr/include/linux/inotify.h and I have > -DUSEINOTIFY. > > I do have the "Real time file monitoring started.", which I simply didn't > notice. > > However the problem is that it looks like real time notifications are > working inconsistently, i.e: if I let's say "apt-get install ...some > package, I get the notification right away, also when I restart OSSEC I get > email immediately, BUT when I modify /etc/hosts or some other file that is > with "realtime" parameter in "directories" then I only get a notification > when ossec-syscheckd runs as scheduled. > > Any ideas? > > > > > On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote: >> >> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file >> checks existence of a header file. Please see if your Ubuntu system has one >> of the follwoing: >> >> # Checking for inotify >> >> if [ "X$OS" = "XLinux" ]; then >> >> if [ -e /usr/include/sys/inotify.h ]; then >> >> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >> >> elif [ -e /usr/include/linux/inotify.h ]; then >> >> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >> >> fi >> >> LUA_PLAT="posix" >> >> fi >> >> >> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation >> directive. Please check it. >> >> Documentation is available at: >> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring >> >> Good luck! >> >> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote: >> >> Hi Guys! >>> I've installed and configured OSSEC to get real time notifications, but >>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real >>> time notification. >>> Scheduled notifications are working I receive events to my email. >>> >>> In addition documentation tells that in ossec.log there should be a line >>> "Real time file monitoring started." which I never get. >>> >>> Please advise >>> >>> <global> >>> <email_notification>yes</email_notification> >>> <email_to>[email protected]</email_to> >>> <smtp_server>mx.yandex.net.</smtp_server> >>> <email_from>ossecm@myserver</email_from> >>> </global> >>> <!-- 550 changed, 553 deleted, 554 added --> >>> <email_alerts> >>> <email_to>[email protected]</email_to> >>> <rule_id>550, 553, 554</rule_id> >>> <do_not_delay /> >>> </email_alerts> >>> >>> <!-- Directories to check (perform all possible verifications) --> >>> <directories realtime="yes" >>> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> >>> <alert_new_files>yes</alert_new_files> >>> <scan_on_start>no</scan_on_start> >>> <auto_ignore>no</auto_ignore> >>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
