P.S.: This is a duplicated topic. There is a more detailed explanation to your problem at the other topic:
https://groups.google.com/forum/#!topic/ossec-list/eSbdMTPLG7A Regards. On Friday, April 1, 2016 at 3:17:24 PM UTC+2, Victor Fernandez wrote: > > Hi. > > I did the same as you: changed the rule's level from 0 to 10 and added > > <alert_new_files>yes</alert_new_files> > > on "ossec.conf", both at server, and I had no error. > > You should check the Syscheck database (tail of file at > /var/ossec/queue/syscheck) and verify that new files are on it. > > Depending on whether the file appears in the database or not, the problem > may be with the agent or the manager. > > Best regards. > > > > On Thursday, March 31, 2016 at 9:08:36 PM UTC+2, jingxu...@bettercloud.com > wrote: >> >> I followed the instruction as >> >> Add the following to local_rules.xml: >> >> <rule id="554" level="10" overwrite="yes"> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <description>File added to the system.</description> >> <group>syscheck,</group></rule> >> >> The <alert_new_files> entry should look something like this: >> >> <syscheck> >> <frequency>7200</frequency> >> <alert_new_files>yes</alert_new_files> >> <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> >> >> And then restart the agent and server, but I did not get alerts forever. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.