Hi Christian, You also need to set "alert_new_files" to "yes" inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, May 17, 2010 at 2:29 PM, <[email protected]> wrote: > Ive changed the rules required 554 to level 7 and the rule is as follows. Is > this correct for alerting on new files as documented. Thank You Christian... > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <match>\system32\</match> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > Christian L. Kovac > Sr Network Support Analyst > Information Technology & Project Management > Metro-North Railroad > [email protected] > 212-499-4642 > > THINK GREEN q Do you really need to print this e-mail? >
