I know I'm just doing something wrong but I can't seem to find out
what it is. I need to alert on new files and it's simply not working
(and yes, I know I have to wait for syscheck to run, I lowered the
frequency). I am using the latest 2.1 (just downloaded yesterday). Any
help would be most appreciated. The relevant config is as follows:
ossec.conf:
<frequency>1200</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
local_rules.xml
<rule id="100003" level="7">
<if_sid>554</if_sid>
<description>NEW FILE!!!</description>
</rule>
I added new files to an ubuntu system and an opensolaris system, no
alerts, no messages in the log about an alert. Thanks in advance
Billford
