What OS are you running? Linux isn't it? Extracted from OSSEC Docs: *"Real time only works with directories, not individual files. So you can monitor the /etc or C:\program files directory, but not an individual file like /etc/file.txt."*
In my experience, I can tell you real time does not work if syscheck scan is running, I mean, if the scan is running realtime option won't work until syscheck finishes the scan. Regards, Pedro S. On Thursday, April 14, 2016 at 8:51:20 PM UTC+2, thak wrote: > > So after some investigating it seems what's ACTUALLY happening is that the > realtime notifications aren't working, and the syscheck 20 hour scan is > picking up the changes. Thus, one could reasonably (I think) interpret this > as delayed realtime notifications. > > I certainly have the realtime="yes" option set for these directories, and > the inotify package installed. Anything else I'm missing? Might give the > agents a restart just in case. > > On Thursday, April 14, 2016 at 2:21:02 PM UTC-4, thak wrote: >> >> I hadn't really considered the mail server may be the problem - we >> naturally utilize sendmail to offload the notifications and route them >> through our corporate O365 exchange server. >> >> I was getting some integrity changes hours after the changes actually >> occurred (on boxes with realtime=yes and inotify packages installed). I >> also double checked my inbox, and this particular alert (for a file being >> re-added, i.e. a new version) only appears once in my inbox. >> >> On Wednesday, April 6, 2016 at 4:40:08 PM UTC-4, [email protected] wrote: >>> >>> did you look to maillog of your server ? >>> When were actual sent notifications ? >>> Email may be deferred by couple of reasons: >>> * graylisting >>> * mail server overloading or even inactivvity. >>> >>> If you want fast and reliable delivery - try to setup additional >>> notification engine. >>> We choose slack, but there're couple of chat systems, that can receive >>> notifications by their api. >>> >>> среда, 6 апреля 2016 г., 17:33:03 UTC+4 пользователь thak написал: >>>> >>>> Any idea what the likely reason would be for this? We were installing >>>> some diagnostic packages yesterday afternoon, but I didn't get email >>>> notifications until 0430 today. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
