Ive changed the rules required 554 to level 7 and the rule is as follows. Is
this correct for alerting on new files as documented. Thank You Christian...
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>\system32\</match>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
Christian L. Kovac
Sr Network Support Analyst
Information Technology & Project Management
Metro-North Railroad
[email protected]
212-499-4642
THINK GREEN q Do you really need to print this e-mail?
