Hi, it is not necessary to install the *inotify *package. This package is for inotify tools and OSSEC uses the inotify system calls. I think the problem is that you must specify a directory for realtime, not a file. Try to change it to "/root/.ssh" instead of "root/.ssh/authorized_key".
Regards. On Tuesday, March 21, 2017 at 5:51:05 AM UTC-7, Kat wrote: > > Good morning, > > You seem to have posted this question twice, so I will just answer this > one. I have this running on all my systems and it easily works without an > issue. You have to make sure the right packages are installed for Realtime. > Hidden files do not bother OSSEC - a hidden file is simply a file named > with a leading "." dot, but that does not alter the fact that it has an > inode and a directory entry. Make sure you have the "inotify" package > installed. Also, you might want to post your config file. One other issue > is that if the file did not exist prior to starting OSSEC and you do not > have alerting on new files setup, then you may not see the alerts either. > > I use this feature for monitoring in realtime if users put SSH private > keys on a public server, rather than their laptop. I have AR setup to > remove any private keys immediately upon alert generation. > > Cheers > Kat > > On Monday, March 20, 2017 at 10:47:15 PM UTC-5, jingxu...@bettercloud.com > wrote: >> >> Recently, we are trying to use OSSEC to monitor files >> ~/.ssh/authorized_key for real time, but it seems it can only detect for >> syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it >> recorded all the changes, but because the .ssh folder is hidden. I can not >> get real-time alerts from OSSEC manager, is there anyone know how to fix >> this, or does OSSEC ever consider this function before? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.