Hi Dan, I plated the<auto_ignore>no<auto_ignore> in the syscheck section and for some reason it simply does not trigger.
Is it possible that once it was triggered three times it goes in a do not check list that i have to reset ? if ever i wish to perform the same locally is there a different step ? Thank you, On Friday, July 22, 2016 at 10:10:51 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jul 22, 2016 at 9:25 AM, EvilZ <[email protected] <javascript:>> > wrote: > > Hi , > > > > > > I would like to setup a monitoring for a txt file that is in a Linux > server. > > I have configured the syscheck and selected Report_Change to yes however > > after 3 changes it has stopped reporting any change i do to the file. I > > would like the monitoring to act like an agentless and alert whenever a > > change has been detected and also what exact text has been changed with > the > > information such as the owner and group of the individual that has > performed > > the modification . Is this the correct setting i should setup for the > > directory ? > > > > <directories report_change="yes" > check_all="yes">/input/ossec/</directories> > > > > Thank you, > > > > OSSEC stops reporting on files after they have changed 3 times by > default. Turn off the auto ignore feature if you don't want this. > > Reporting the user that has modified a file is trickier. You need to > monitor the file with some system process, and then ingest those logs > to find the change. Maybe auditd on Linux? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
