Realtime monitoring seems to be working now that I've adjusted the scan 
frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's 
now 20 minutes and realtime now seems to work. I don't claim it makes 
sense, it's just what I'm observing.

Ok I've discovered that the config doesn't like this line. I modified it to 
reflect one of the others and it works.

    <directories check_all="yes" report_changes="yes" 

And, I've realized it's also including multiple alerts in one email. I'd 
rather have one email per alert, at least a way to configure it. But I get 
this reduces the count of emails.

On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:

> Hello,
> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't 
> behaving consistently.
> First realtime monitoring simply isn't working. FIM only seem to work when 
> the scan runs, which I have set to 10 minutes for testing. Second I only 
> seem to get a fraction of the changes I've made. For testing I have 4 
> folder, and I make 2 changes in each folder, usually an edit and a delete 
> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I 
> received only alerts for 3 of those changes.
> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. 
> The agent does say "INFO: Real time file monitoring started.".
> Following are the configs for the manager server and the agent server. Is 
> there something I am missing? 
> Manager
> <ossec_config>
>   <global>
>     <email_notification>yes</email_notification>
>     <email_maxperhour>500</email_maxperhour>
>     <email_to></email_to>
>     <smtp_server></smtp_server>
>     <email_from></email_from>
>     <logall>yes</logall>
>   </global>
> Agent, yes the lines are intentionally each a little different for the 
> directories to monitor while fiddling with this. If one is wrong please let 
> me know.
>   <!-- Syscheck - Integrity Checking config. -->
>   <syscheck>
>     <!-- Default frequency, every 20 hours. It doesn't need to be higher
>       -  on most systems and one a day should be enough.
>       -->
>     <frequency>600</frequency>
>     <alert_new_files>yes</alert_new_files>
>     <auto_ignore>no</auto_ignore>
>     <!-- By default it is disabled. In the Install you must choose
>       -  to enable it.
>       -->
>     <disabled>no</disabled>  
>     <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
>     <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
>     <directories check_all="yes" report_changes="yes" 
> realtime="yes">C:\TestOSS3</directories>
>     <directories realtime="yes" report_changes="yes" 
> check_all="yes">C:\TestOSS4</directories>
>     <!-- Default files to be monitored - system32 only. -->
>     <directories check_all="yes">%WINDIR%/win.ini</directories>
>     <directories check_all="yes">%WINDIR%/system.ini</directories>
> Thanks,
> Matt


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to