The first time the sysceck process runs it creates a baseline database. On subequent runs it should compare the new info to the older db. I do not know if these checks are done after it has finished its run, or if it checks for changes as it goes through the fs. If you're using a realtime capable system, it may be worth enabling that feature.
-----Original Message----- From: ItsMikeE Sent: 07/12/2010 9:43:37 AM Subject: [ossec-list] Re: Why are file integrity checks not working / not taking place OSSEC has now identified the file changes, but not on the first run of syscheck. Could there be some kind of initial processing, like the setting up of a database of files to be monitored, that has to complete before the checks can run?
