I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
First realtime monitoring simply isn't working. FIM only seem to work when
the scan runs, which I have set to 10 minutes for testing. Second I only
seem to get a fraction of the changes I've made. For testing I have 4
folder, and I make 2 changes in each folder, usually an edit and a delete
and/or add. I just did that 2 time sin the last hour, so 16 changes, and I
received only alerts for 3 of those changes.
The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2.
The agent does say "INFO: Real time file monitoring started.".
Following are the configs for the manager server and the agent server. Is
there something I am missing?
Agent, yes the lines are intentionally each a little different for the
directories to monitor while fiddling with this. If one is wrong please let
<!-- Syscheck - Integrity Checking config. -->
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
<!-- By default it is disabled. In the Install you must choose
- to enable it.
<directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
<directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
<directories check_all="yes" report_changes="yes"
<directories realtime="yes" report_changes="yes"
<!-- Default files to be monitored - system32 only. -->
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.