On Mon, Feb 22, 2016 at 6:09 PM, Abhi <abhijittike...@gmail.com> wrote: > Hi, > > I am trying to get the report_changes working for /etc directory. After > enabling it, along with the real time option, agent correctly logs all the > changes immediately under > " /var/ossec/queue/diff/local/etc/". All changes are recorded into their > respective folders. Each time a edit is done, a new diff file is generated. > > For enabling, added the following under ossec.conf on Agent: <directories > realtime="yes" report_changes="yes" check_all="yes">/etc</directories> > > But these "diff.XXXXXXX" files never make it to OSSEC server. Are they > supposed to? > When I check for this specific agent under > "/var/ossec/queue/diff/AgentName", the only files listed are > "state.XXXXXXXX". > > Apart from setting <report_changes>, is there any other configuration that I > missed? >
Do you get the diffs in the alerts? > Agent Version - 2.8.1 ( Also tested with 2.8.3) > Agent OS - CentOS 6.6 > > Server OS - CentOS 6.6 > > Many Thanks, > > ~ Abhi > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
