we currently have some ossec agents running on windows and real time monitoring for files activated – with the following configuration on the agent site:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 2 hours -->
<frequency>7200</frequency>
<directories check_all="yes" realtime="yes">D:\path1</directories>
<directories check_all="yes" realtime="yes">D:\path2</directories>
<disabled>no</disabled>
<auto_ignore>no</auto_ignore>
</syscheck>
this basically works – except that only the first edit of a file is reported in real time. any subsequent changes of the same file are only reported via the scheduled scans every 7200 seconds but no real time notification is triggered after the first edit.
If I edit another previously untouched file – it works again for the first ever change but not afterwards.
Are there any other settings that could be checked/changed/set to reliable get notified for the file changes? What could be looked at to identify the issue?
It's a little puzzling… Thanks a lot for any input.
Best Answer
Answer is: there are somehow miss leading defaults:
When running the agent in debug level 2; it can be seen all files are monitored, changes are detected and data is send to the server. But the server ignores them by default. This is a little confusing/miss leading even if it is documented this way! It should be noted on the real-time flag that one must change the server-side too - the interdependence of those two settings is not obvious!
Confusing is: first change works, but second of same file not! So that's it!