On Friday, November 9, 2012 9:23:56 PM UTC+8, dan (ddpbsd) wrote:
>
> On Fri, Nov 9, 2012 at 12:41 AM, peng lin <linpe...@gmail.com<javascript:>>
> wrote:
> > in my ossec.conf , i write
> > <alert_new_files>yes</alert_new_files>
> > <directories check_all="yes" realtime="yes"
> > report_changes="yes">/103</directories>
>
> Is realtime available for your mystery platform? Are you sure it was
> compiled in? Do you see log messages about realtime monitoring?
>
> > in my ossec_rule.xml,i write
> > <rule id="554" level="8">
>
> Don't change this. It'll be lost during an upgrade.
>
> > <category>ossec</category>
> > <decoded_as>syscheck_new_entry</decoded_as>
> > <description>File added to the system.</description>
> > <group>syscheck,</group>
> > </rule>
>
> Add the following rule to local_rules.xml instead of ossec_rules.xml.
>
> > <rule id="554" level="10" overwrite="yes">
> > <category>ossec</category>
> > <decoded_as>syscheck_new_entry</decoded_as>
> > <description>File added to the system.</description>
> > <group>syscheck,</group>
> > </rule>
> > but in directory 103, when i set a new file ,i can't see any of alert .
> Is
> > that something my config wrong ? i used 2.7 beta 2.
>
> Has a syscheck scan already run? I'm not sure new file alerts will
> fire if there isn't a baseline.
> Did you try adding the file and forcing a rescan? Maybe realtime isn't
> working for this.
>
> > 2 I see about syscheck use decoder is syscheck_xxx_entry.
> > but in decoder.xml i can't see the decoder's config ?
> > how it work ?
>
> I think that's all part of the source, instead of having the separate
> decoders.
>
Is realtime available for your mystery platform? Are you sure it was
compiled in? Do you see log messages about realtime monitoring?
yes ,if i modify ,change,the file which i have realtime checke ,i can see
the log appear.
i think realtime work ok ,BUT when i creat it ,i can't receive any alert,
both change old rule or add a rule
