On Mon, Dec 12, 2011 at 10:52 PM, Macus <macu...@gmail.com> wrote: > I have added the report_changes option like below. It seems work a > little bit. Both abc and def are linked to abc-v123 and def-v123 > respectively. Now, I can see some files were copied from /home/abc to / > var/ossec/queue/diff/local/home/abc , but no file was copied for /home/ > def. Why? no error was observed in the ossec log. >
No idea. Is there anything in the logs about /home/def? Does it work if you use the correct directory instead of symlinks? Try running ossec-syscheckd in debug mode. > <directories check_all="yes" report_changes="yes">/home/abc</ > directories> > <directories check_all="yes" report_changes="yes">/home/def</ > directories> > > > > > > On 12月9日, 上午10時10分, "dan (ddp)" <ddp...@gmail.com> wrote: >> On Thu, Dec 8, 2011 at 8:57 PM, Macus <macu...@gmail.com> wrote: >> > Yes, there are no files in the /var/ossec/queue/diff, but there are >> > files in the $HOME/abc-v123. Therefore, why there is no file in the / >> > var/ossec/queue/diff?? >> >> > I add the monitor dir like below. >> > <directories check_all="yes">/home/abc</directories> >> >> Does it work if you add the report_changes option? >> <directories check_all="yes" report_changes="yes">/home/abc</directories> >> >> >> >> >> >> >> >> >> >> > On 12月8日, 下午11時08分, "dan (ddp)" <ddp...@gmail.com> wrote: >> >> On Thu, Dec 8, 2011 at 1:37 AM, Macus <macu...@gmail.com> wrote: >> >> > I am using the OSSEC 2.6 to monitoring a symbolic link (ie. $HOME/abc) >> >> > to a phy dir (ie. $HOME/abc-v123). The syscheck alert work, but in the >> >> > alert email, there is no diff shown for the txt file change. Moreover, >> >> > I found there is no image of the files stored in /var/ossec/queue/ >> >> > diff. >> >> > What's the problem? is it because the path is a symbolic link rather >> >> > than a phy dir? thanks >> >> >> Possibly. Are there no files in /var/ossec/queue/diff or just no files >> >> from $HOME/abc-v123?
