Hi Christian,
You also need to set alert_new_files to yes inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, ko...@mnr.org wrote:
Ive changed the rules required 554 to level 7 and the rule
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
frequency792/frequency
alert_new_filesyes/alert_new_files
!-- Directories to check (perform all
Have you tested this? Maybe tried creating a file in the system32 directory?
Did you set the alert_new_files to yes on the agents (not sure if this
is necessary or not, but probably won't hurt)?
Is the system32 directory being watched by syscheck?
On Tue, May 18, 2010 at 8:38 AM, ko...@mnr.org
Thanks for the reply, Yes, Yes (system32 directory being watched by syscheck?
) I believe by the default it is being watched by syscheck. I do get alerts
when I modify a test file in the System32 directory. This is basic install for
testing and evaluation. This is the only issue I cant seem
I've gotten copied on this mail 10 times already. But not a response.
ko...@mnr.org 5/18/2010 8:38 AM
I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
Ive changed the rules required 554 to level 7 and the rule is as follows. Is
this correct for alerting on new files as documented. Thank You Christian...
rule id=554 level=7 overwrite=yes
categoryossec/category
decoded_assyscheck_new_entry/decoded_as
match\system32\/match
