Hi Santiago, I just came across your post. Are you saying that the 
auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the 
manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, 
the latter will eventually be placed on the Agent. I thought that 
/var/ossec/etc/ossec.conf (on the manager) only applied to syscheck 
settings locally (in this case, the manager) and that agent.conf would 
control what happens on the Agents. This is a little confusing.



On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote:
>
> Are you using scan_on_start option? Remember realtime won't work until 
> first syscheck is done.
>
> I also recommend to use alert_new_files and set auto_ignore to "no" (this 
> goes on the manager).
>
> Useful trobleshooting tip is to enable debug for syscheck on the agent 
> (internal_options.conf file)
>
> Best
>
> On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia <jen...@gmail.com 
> <javascript:>> wrote:
>
>> I've checked, I have the /usr/include/linux/inotify.h and I have 
>> -DUSEINOTIFY.
>>
>> I do have the "Real time file monitoring started.", which I simply didn't 
>> notice.
>>
>> However the problem is that it looks like real time notifications are 
>> working inconsistently, i.e: if I let's say "apt-get install ...some 
>> package, I get the notification right away, also when I restart OSSEC I get 
>> email immediately, BUT when I modify /etc/hosts or some other file that is 
>> with "realtime" parameter in "directories" then I only get a notification 
>> when ossec-syscheckd runs as scheduled.
>>
>> Any ideas?
>>
>>
>>
>>
>> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote:
>>>
>>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall 
>>> file checks existence of a header file. Please see if your Ubuntu system 
>>> has one of the follwoing:
>>>
>>>     # Checking for inotify
>>>
>>>     if [ "X$OS" = "XLinux" ]; then
>>>
>>>         if [ -e /usr/include/sys/inotify.h ]; then
>>>
>>>             echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>>
>>>         elif [ -e /usr/include/linux/inotify.h ]; then
>>>
>>>             echo "EEXTRA=-DUSEINOTIFY" >> Config.OS
>>>
>>>         fi
>>>
>>>         LUA_PLAT="posix"
>>>
>>>     fi
>>>
>>>
>>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation 
>>> directive. Please check it.
>>>
>>> Documentation is available at: 
>>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring
>>>  
>>> Good luck!
>>>
>>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote:
>>>
>>> Hi Guys!
>>>> I've installed and configured OSSEC to get real time notifications, but 
>>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real 
>>>> time notification.
>>>> Scheduled notifications are working I receive events to my email.
>>>>
>>>> In addition documentation tells that in ossec.log there should be a 
>>>> line "Real time file monitoring started." which I never get.
>>>>
>>>> Please advise
>>>>
>>>>  <global>
>>>>     <email_notification>yes</email_notification>
>>>>     <email_to>jen...@gmail.com</email_to>
>>>>     <smtp_server>mx.yandex.net.</smtp_server>
>>>>     <email_from>ossecm@myserver</email_from>
>>>>   </global>
>>>>   <!-- 550 changed, 553 deleted, 554 added -->
>>>>   <email_alerts>
>>>>     <email_to>jen...@gmail.com</email_to>
>>>>     <rule_id>550, 553, 554</rule_id>
>>>>     <do_not_delay />
>>>>   </email_alerts>
>>>>
>>>>   <!-- Directories to check  (perform all possible verifications) -->
>>>>         <directories realtime="yes" 
>>>> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>>>>
>>>>         <alert_new_files>yes</alert_new_files>
>>>>         <scan_on_start>no</scan_on_start>
>>>>         <auto_ignore>no</auto_ignore>
>>>>
>>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to