I can confirm this problem. I tested ossec 2.1.1 on a Linux system and added to the default syscheck entries 'realtime="yes"'. Changes on files in the directory are recognized, but in subfolders the checks are ignored.
I recognized another problem with realtime checks. When I create a new file in the directory that is checked in realtime, I didn't receive any message from ossec. I looked in every log but there isn't any entry for the new file. Regards Kirk Frankovich wrote: > > I have been testing the realtime directive and am finding that only > files in the listed directory are seen right away. Files in > subfolders do not appear to be affected. For realtime to work, do you > need to list each directory separately? I also have the check_all="yes". > > > > In my config, I have > > > > <directory check_all="yes" realtime="yes">/test</directory> > > > > The file /test/file1.txt is properly detected when it is changed > > > > The file /test/subfolder/file2.txt is not. > > > > It appears as though the realtime directive isn't recursive. Is this > correct or am I doing something wrong? > > > > This is a fresh install on OSSEC 2.1.1 on CentOS 5.3 32bit. > > > > Thank you. > > > > > > *Kirk Frankovich* > > *Systems Administrator* > > > > 847.427.5223 - Direct > > 847.489.4717 - Cell > > [email protected] > > > > /Fort Dearborn Company/ > > /1530 Morse Ave/ > > /Elk Grove Village, IL 60007/ > > > > > -- > Confidentiality Notice: This e-mail, including attachments, may > include confidential and/or proprietary information, and may be used > only by the person or entity to which it is addressed. If the reader > of this e-mail is not the intended recipient or his or her authorized > agent, the reader is hereby notified that any dissemination, > distribution, copying or taking any action in reliance upon this > information is prohibited. If you have received this e-mail in error, > please notify the sender by replying to this message and delete this > e-mail immediately. This message has been checked by ESVA and is > believed to be clean. -- Andre Pawlowski ------------------------------------------------------------------- Any fool can write code that a computer can understand. Good programmers write code that humans can understand. -Martin Fowler
