Hi, I am trying to get the report_changes working for /etc directory. After enabling it, along with the real time option, agent correctly logs all the changes immediately under " /var/ossec/queue/diff/local/etc/". All changes are recorded into their respective folders. Each time a edit is done, a new diff file is generated.
For enabling, added the following under ossec.conf on Agent: <directories realtime="yes" report_changes="yes" check_all="yes">/etc</directories> But these "diff.XXXXXXX" files never make it to OSSEC server. Are they supposed to? When I check for this specific agent under "/var/ossec/queue/diff/AgentName", the only files listed are "state.XXXXXXXX". Apart from setting <report_changes>, is there any other configuration that I missed? Agent Version - 2.8.1 ( Also tested with 2.8.3) Agent OS - CentOS 6.6 Server OS - CentOS 6.6 Many Thanks, ~ Abhi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
