jrossi
commented
10 years ago Open jrossi opened 10 years ago
jrossi
commented
10 years ago jrossi
commented
10 years ago I've done a fair amount of test of realtime's check and still get odds behaviours. Seems like Gael's patch (issue #57 - pull-request/19) is helping but does not solve the inconsistencies.
So far I'm having difficultiesas it seems pretty random: sometimes an alert gets sent the second I add or modify a file and sometime nothing (same or different files). I'll try to dig deeper but really there's something not right.
I'm currently investigating on a fresh version of Ubuntu server 12.04 since I realized sometime wasn't right on my implement of realtime for *BSD. Now I know it's not local to my BSD implementation but really in OSSEC's realtime code.
Note: This comment has been automatically migrated from Bitbucket Created by northox on 2013-11-25 03:41:09+00:00
jrossi
commented
10 years ago Danny, check to make sure you're not dropping UDP packets due to a full buffer. On Linux, it's netstat -s. I was helping another user recently who had this problem and I also noticed it on my server, which only gets about 2 million events per day.
Note: This comment has been automatically migrated from Bitbucket Created by mstarks01 on 2013-11-25 03:52:34+00:00
jrossi
commented
10 years ago No that's not it. I can see other actions of the remote agent on OSSEC's server as they happen, just not the realtime filesystem checks.
I'll add this to my test: trigger a standard alert then play with a realtime directory and finally another standard alert.
Note: This comment has been automatically migrated from Bitbucket Created by northox on 2013-11-26 02:57:14+00:00, last updated: 2013-11-26 03:00:42+00:00