{"id":88,"date":"2009-10-08T22:42:00","date_gmt":"2009-10-08T22:42:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=88"},"modified":"2020-07-01T22:43:44","modified_gmt":"2020-07-01T22:43:44","slug":"realtime-file-integrity-monitoring","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2009\/10\/realtime-file-integrity-monitoring\/","title":{"rendered":"Realtime file integrity monitoring"},"content":{"rendered":"\n<p>OSSEC supports realtime (continuous) file integrity monitoring on Linux systems (since v2.2) and on the&nbsp;<a href=\"http:\/\/www.ossec.net\/files\/snapshots\/ossec-win32-091008.exe\">latest snapshot<\/a>&nbsp;we added support for Windows too.<\/p>\n\n\n\n<p>The configuration is very simple. In the &lt;directories&gt; option where you specify what files or directories to monitor, you just need to add the realtime=\u201dyes\u201d attribute. For example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;syscheck>\n&lt;directories realtime=\u201dyes\u201d check_all=\u201dyes\u201d>\/etc,\/usr\/bin,\/usr\/sbin&lt;\/directories>\n&lt;directories check_all=\u201dyes\u201d>\/bin,\/sbin&lt;\/directories>\n&lt;\/syscheck><\/code><\/pre>\n\n\n\n<p>In this case, the directories \/etc\/, \/usr\/bin and \/usr\/sbin will be monitored in real time. The same applies to Windows too. A few notes:<\/p>\n\n\n\n<ol><li>The real time monitoring will not start right away. First OSSEC needs to scan the file system and adds each sub-directory to the realtime queue. It can take up to 30 minutes for that (wait for the log\u00a0<em>\u201cossec-syscheckd: INFO: Starting real time file monitoring\u201d<\/em>\u00a0).<\/li><li>It only works with directories, not individual files. So you can monitor the \/etc or C:program files directory, but not an individual file like \/etc\/file.txt.<\/li><\/ol>\n\n\n\n<p>If you are interested in this feature, please try it out on both Linux and Windows.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OSSEC supports realtime (continuous) file integrity monitoring on Linux systems (since v2.2) and on the&nbsp;latest snapshot&nbsp;we added support for Windows too. The configuration is very simple. In the &lt;directories&gt; option where you specify what files or directories to monitor, you just need to add the realtime=\u201dyes\u201d attribute. For example: In this case, the directories \/etc\/, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/88"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":89,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/88\/revisions\/89"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}