Hi Sebastian,
You also need a local rule for it work. By default we ignore any
alerts of new files (look inside ossec_rules.xml).
<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
So if you overwrite this rule on local_rules.xml, you will get your alerts:
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
Btw, sorry for the delay getting back to you... I am working hard on
v1.5, which a beta should be
out soon (expect lots of good new features).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Mar 25, 2008 at 7:59 AM, skoesters <[EMAIL PROTECTED]> wrote:
>
> no one a hint for me?
>
> i do not get the <alert_new_files> work
>
>
> On Mar 12, 6:25 pm, Sebastian Kösters <[EMAIL PROTECTED]> wrote:
> > Hi again.
> >
> > i also have a Problem with the "alert_new_files" option.
> >
> > I configured it in my Server:
> >
> > <directories
> >
> check_all="yes">/etc,/sbin,/bin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
>
>
> > <alert_new_files>yes</alert_new_files>
> >
> > For testing i created a new file in /etc.
> >
> > I never got any alert for the created file but i always get a message
> > when a file (allready existing) changes.
> >
> > Like this
> >
> > Integrity checksum changed for: '/etc/hosts'
> > Size changed from '126' to '108'
> > Old md5sum was: '5de5b1287352f8f8ceecb52566de1962'
> > New md5sum is : '6575c0c69ce2acec955f990f13e14fd7'
> > Old sha1sum was: 'ed1a5309ea8bca35c3f06242c679e64e4a79a819'
> > New sha1sum is : '7c68ad122cde5fcf298eab0c2bc79434b0b98ba6'
> >
> > Some idea?
> >
> > Kind regards
> > Sebastian
>
