I have that also Here is the setting maybe I'm missing something else, I
changed the frequency
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>792</frequency>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
Christian L. Kovac
Sr Network Support Analyst
Information Technology & Project Management
Metro-North Railroad
[email protected]
212-499-4642
THINK GREEN q Do you really need to print this e-mail?
>>> Daniel Cid <[email protected]> 5/18/2010 8:00 AM >>>
Hi Christian,
You also need to set "alert_new_files" to "yes" inside the syscheck config:
http://www.ossec.net/wiki/Know_How:Syscheck
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, May 17, 2010 at 2:29 PM, <[email protected]> wrote:
> Ive changed the rules required 554 to level 7 and the rule is as follows. Is
> this correct for alerting on new files as documented. Thank You Christian...
>
> <rule id="554" level="7" overwrite="yes">
> <category>ossec</category>
> <decoded_as>syscheck_new_entry</decoded_as>
> <match>\system32\</match>
> <description>File added to the system.</description>
> <group>syscheck,</group>
> </rule>
>
>
> Christian L. Kovac
> Sr Network Support Analyst
> Information Technology & Project Management
> Metro-North Railroad
> [email protected]
> 212-499-4642
>
> THINK GREEN q Do you really need to print this e-mail?
>
