Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). upon agent restarting, all the information is being sent.
I've made sure that inotify and inotify-tools are installed, even build-essential (just in case), but nothing. unless the agent is restarted, it will not send the new updates to the server.
OS ubuntu 16.04
Any ideas?
You must take into account that the file change alerts are triggered when syscheckd detect any change from a previous scan, you can set the scan frequency using option.
When an agent is started a file integrity scan start too if <scan_on_start>yes</scan_on_start> (enabled by default) is set, for that reason you receive alerts of file changes when you restart the agent.
Also, you could take a look to the <realtime> option, this will alert you when a file change instantly.
Here you can find the official documentation https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
And our maillist is located at https://groups.google.com/forum/#!forum/wazuh we are glad to help you there too.
In addition, it could be nice you use the wazuh tag, we will appreciate that, thanks.
I hope this could help you.
Regards
