thank you! that worked
On 2 Apr., 12:49, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Sebastian, > > You also need a local rule for it work. By default we ignore any > alerts of new files (look inside ossec_rules.xml). > > <rule id="554" level="0"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > So if you overwrite this rule on local_rules.xml, you will get your alerts: > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > Btw, sorry for the delay getting back to you... I am working hard on > v1.5, which a beta should be > out soon (expect lots of good new features). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Tue, Mar 25, 2008 at 7:59 AM, skoesters <[EMAIL PROTECTED]> wrote: > > > no one a hint for me? > > > i do not get the <alert_new_files> work > > > On Mar 12, 6:25 pm, Sebastian Kösters <[EMAIL PROTECTED]> wrote: > > > Hi again. > > > > i also have a Problem with the "alert_new_files" option. > > > > I configured it in my Server: > > > > <directories > > > > > check_all="yes">/etc,/sbin,/bin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories> > > > > <alert_new_files>yes</alert_new_files> > > > > For testing i created a new file in /etc. > > > > I never got any alert for the created file but i always get a message > > > when a file (allready existing) changes. > > > > Like this > > > > Integrity checksum changed for: '/etc/hosts' > > > Size changed from '126' to '108' > > > Old md5sum was: '5de5b1287352f8f8ceecb52566de1962' > > > New md5sum is : '6575c0c69ce2acec955f990f13e14fd7' > > > Old sha1sum was: 'ed1a5309ea8bca35c3f06242c679e64e4a79a819' > > > New sha1sum is : '7c68ad122cde5fcf298eab0c2bc79434b0b98ba6' > > > > Some idea? > > > > Kind regards > > > Sebastian- Zitierten Text ausblenden - > > - Zitierten Text anzeigen -
