I actually monitor /home/*.ssh,/root/.ssh
And have AR set that if a new directory appears in /home, it restarts the agent so it adds it to the wildcard. On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for > real time. But it seems it only works for system integrity check > periodically, but not real-time, I checked the /var/ossec/queue/diff > folder, it recorded all the changes under that folder, but since .ssh is a > hidden folder, I can not get alerts from ossec manager for real-time file > change alert. Is there anyone knowing how to fix this? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.