On Fri, Jul 22, 2016 at 12:07 PM, srik <[email protected]> wrote: > Dan, > > is this 3 times thing for certain time threshold? like for once an hr, day, > etc.,? If yes, is there a way to change that? >
No, it's a total of 3 times ever. > Thanks, > Sri > > On Friday, 22 July 2016 08:10:51 UTC-6, dan (ddpbsd) wrote: >> >> On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected]> wrote: >> > Hi , >> > >> > >> > I would like to setup a monitoring for a txt file that is in a Linux >> > server. >> > I have configured the syscheck and selected Report_Change to yes however >> > after 3 changes it has stopped reporting any change i do to the file. I >> > would like the monitoring to act like an agentless and alert whenever a >> > change has been detected and also what exact text has been changed with >> > the >> > information such as the owner and group of the individual that has >> > performed >> > the modification . Is this the correct setting i should setup for the >> > directory ? >> > >> > <directories report_change="yes" >> > check_all="yes">/input/ossec/</directories> >> > >> > Thank you, >> > >> >> OSSEC stops reporting on files after they have changed 3 times by >> default. Turn off the auto ignore feature if you don't want this. >> >> Reporting the user that has modified a file is trickier. You need to >> monitor the file with some system process, and then ingest those logs >> to find the change. Maybe auditd on Linux? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
