Hi, check out the documentation: http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#why-aren-t-new-files-creating-an-alert
Also, it is not a good idea to monitor all the partition: - *report_changes *creates a snapshot in the agent for each change. - *realtime *on Windows allows until 256 directories. Syscheck should be for critical files. Regards. On Wednesday, May 31, 2017 at 10:04:38 AM UTC+2, Akash Munjal wrote: > > > Hi All, > > I am also facing the same problem.I am not getting alert of > creation/deletion of file from windows agent > to my manager(linux). Agent show connected and active, I only get alert > from agent(win) is agent start/restart/change in ossec.conf(agent). > To monitor D:\ drive, I have done the following changes in ossec.conf on > manager: > > <directories report_changes="yes" realtime="yes" check_all="yes">C:.,D:.</ > directories> > > But i don't get any alerts on my manager. > > Can you please help me out. > > Thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
