OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Realtime monitoring does not detect permission changes (If you change permission, the alert does not fire instantly)
Realtime does not work with auto_ignore and added_file (last one is properly documented)
The thing is that in the documentation you show realtime coupled with check_all, which lead to the user expecting that every of those checks are done in realtime. Since it's not true, this should be clarified that the only proper realtime checks are the file integrity ones.
Hello, I have been trying to play a bit with realtime option and I failed on "some got you" that I think should be documented more clearly there https://www.ossec.net/docs/docs/manual/syscheck/index.html:
The thing is that in the documentation you show realtime coupled with check_all, which lead to the user expecting that every of those checks are done in realtime. Since it's not true, this should be clarified that the only proper realtime checks are the file integrity ones.
Thanks for your work :)