new file detection is not alerted on by default :
you can find the rule in ossec_rules.xml
<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
you can change the level on that specific rule, but remember that this will be
overwritten if you upgrade.
a more gracious solution would be to add a rule to local_rules.xml :
<rule id="100001" level="3">
<if_sid>554</if_sid>
<description>new file detected</description>
</rule>
KR,
W
On 05 Mar 2010, at 23:05, dburkland wrote:
> Hello all,
>
> I am new to the OSSEC scene and after doing some research, I could not
> find any trace of realtime detection of new files in the current
> version of OSSEC. Do you know if there is some way to enable this
> feature or if not when it is planned to be included in OSSEC's feature
> set?
>
> Thank you,
>
> Dan
