On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> wrote: > Hi , > > > I would like to setup a monitoring for a txt file that is in a Linux server. > I have configured the syscheck and selected Report_Change to yes however > after 3 changes it has stopped reporting any change i do to the file. I > would like the monitoring to act like an agentless and alert whenever a > change has been detected and also what exact text has been changed with the > information such as the owner and group of the individual that has performed > the modification . Is this the correct setting i should setup for the > directory ? > > <directories report_change="yes" check_all="yes">/input/ossec/</directories> > > Thank you, >
OSSEC stops reporting on files after they have changed 3 times by default. Turn off the auto ignore feature if you don't want this. Reporting the user that has modified a file is trickier. You need to monitor the file with some system process, and then ingest those logs to find the change. Maybe auditd on Linux? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
