Dan, is this 3 times thing for certain time threshold? like for once an hr, day, etc.,? If yes, is there a way to change that?
Thanks, Sri On Friday, 22 July 2016 08:10:51 UTC-6, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected] <javascript:>> > wrote: > > Hi , > > > > > > I would like to setup a monitoring for a txt file that is in a Linux > server. > > I have configured the syscheck and selected Report_Change to yes however > > after 3 changes it has stopped reporting any change i do to the file. I > > would like the monitoring to act like an agentless and alert whenever a > > change has been detected and also what exact text has been changed with > the > > information such as the owner and group of the individual that has > performed > > the modification . Is this the correct setting i should setup for the > > directory ? > > > > <directories report_change="yes" > check_all="yes">/input/ossec/</directories> > > > > Thank you, > > > > OSSEC stops reporting on files after they have changed 3 times by > default. Turn off the auto ignore feature if you don't want this. > > Reporting the user that has modified a file is trickier. You need to > monitor the file with some system process, and then ingest those logs > to find the change. Maybe auditd on Linux? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
