we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 2 hours -->
<frequency>7200</frequency>
<directories check_all="yes" realtime="yes">D:\path1</directories>
<directories check_all="yes" realtime="yes">D:\path2</directories>
<disabled>no</disabled>
<auto_ignore>no</auto_ignore>
</syscheck>
this basically works - except that only the first edit of a file is reported in real time. any subsequent changes of the same file are only reported via the scheduled scans every 7200 seconds but no real time notification is triggered after the first edit.
If I edit another previously untouched file - it works again for the first ever change but not afterwards.
Are there any other settings that could be checked/changed/set to reliable get notified for the file changes? What could be looked at to identify the issue?
It's a little puzzling... Thanks a lot for any input.