I got it working by setting on manager and modifying local_rules.xml. Is it possible to alert for new files in real time? It seems it only alerts after scheduled scanning.
Thanks. On Tue, Mar 9, 2010 at 7:07 PM, Devendra Agrawal <[email protected] > wrote: > That was my mistake when posting the issue. I commented out when it was not > working. Do I need to set those parameters on the agent host or the manager > host ? Do I need to restart both manager and agent? My manager is Red Hat > kernel 2.4 but agent is 2.6. > > Thanks > > > > > On Tue, Mar 9, 2010 at 2:53 PM, dan (ddp) <[email protected]> wrote: > >> The "<!--" and "-->" designate anything in between them as commented >> out. Remove them >> and things may work a bit more like you'd expect. >> >> On Tue, Mar 9, 2010 at 2:26 PM, Devendra Agrawal >> <[email protected]> wrote: >> > Hi, >> > >> > I want to know the syntax for auto_ignore and alert_new_files option. I >> > tried the following and restarted the agent services but it doesn't >> alert as >> > expected. I also have realtime check enabled. >> > >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> > <frequency>79200</frequency> >> > <!-- auto_ignore>no</auto_ignore--> >> > <!-- alert_new_files>yes</alert_new_files --> >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories realtime="yes" >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories realtime="yes" check_all="yes">/bin,/sbin</directories> >> > >> > <!-- Files/directories to ignore --> >> > <ignore>/etc/mtab</ignore> >> > <ignore>/etc/mnttab</ignore> >> > <ignore>/etc/hosts.deny</ignore> >> > <ignore>/etc/mail/statistics</ignore> >> > <ignore>/etc/random-seed</ignore> >> > <ignore>/etc/adjtime</ignore> >> > <ignore>/etc/httpd/logs</ignore> >> > <ignore>/etc/utmpx</ignore> >> > <ignore>/etc/wtmpx</ignore> >> > <ignore>/etc/cups/certs</ignore> >> > <ignore>/etc/dumpdates</ignore> >> > <ignore>/etc/svc/volatile</ignore> >> > </syscheck> >> > >
