Have you tested this? Maybe tried creating a file in the system32 directory? Did you set the alert_new_files to yes on the agents (not sure if this is necessary or not, but probably won't hurt)? Is the system32 directory being watched by syscheck?
On Tue, May 18, 2010 at 8:38 AM, <ko...@mnr.org> wrote: > I have that also Here is the setting maybe I'm missing something else, I > changed the frequency > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>792</frequency> > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > Christian L. Kovac > Sr Network Support Analyst > Information Technology & Project Management > Metro-North Railroad > ko...@mnr.org > 212-499-4642 > > THINK GREEN q Do you really need to print this e-mail? > > >>>> Daniel Cid <daniel....@gmail.com> 5/18/2010 8:00 AM >>> > Hi Christian, > > You also need to set "alert_new_files" to "yes" inside the syscheck config: > > http://www.ossec.net/wiki/Know_How:Syscheck > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Mon, May 17, 2010 at 2:29 PM, <ko...@mnr.org> wrote: >> Ive changed the rules required 554 to level 7 and the rule is as follows. >> Is >> this correct for alerting on new files as documented. Thank You >> Christian... >> >> <rule id="554" level="7" overwrite="yes"> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <match>\system32\</match> >> <description>File added to the system.</description> >> <group>syscheck,</group> >> </rule> >> >> >> Christian L. Kovac >> Sr Network Support Analyst >> Information Technology & Project Management >> Metro-North Railroad >> ko...@mnr.org >> 212-499-4642 >> >> THINK GREEN q Do you really need to print this e-mail? >> >
