On Fri, Aug 6, 2010 at 8:17 AM, [email protected]
<[email protected]> wrote:
> I installed an rpm which creates binary is /usr/sbin. As per the below
> rules which I mentioned in ossec.conf for server and clients ,It is
> not generating mails. Even I tried to touch a file inside /usr/sbin ,
> not getting alerts :(
>
> Snippet from ossec.conf
>
> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</
> directories>
> <directories realtime="yes" check_all="yes">/bin,/sbin</
> directories>
> <alert_new_files>yes</alert_new_files>
>
>
> I ran below command too. But not showing any newly created file
>
> ./syscheck_control -i 017
>
> Changes for 2010 Aug 05:
> 2010 Aug 05 17:22:41,0 - /var/ossec/etc/ossec.conf
> 2010 Aug 05 17:26:49,0 - /etc/shadow-
> 2010 Aug 05 17:26:53,0 - /etc/shadow
> 2010 Aug 05 17:27:27,0 - /etc/ssh/sshd_config
> 2010 Aug 05 17:27:31,0 - /etc/passwd-
>
> Changes for 2010 Aug 06:
> 2010 Aug 06 16:51:08,0 - /var/ossec/etc/ossec.conf
> 2010 Aug 06 16:55:18,0 - /etc/shadow-
> 2010 Aug 06 16:55:22,0 - /etc/shadow
> 2010 Aug 06 16:55:56,0 - /etc/ssh/sshd_config
> 2010 Aug 06 16:56:00,0 - /etc/passwd-
>
> Any help will be appreciated.
>
> Regards,
> Anoop Mohan
>
Do you have a rule to alert on new files?
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
