I put the below in ossec rules and restarted,Still email alert is not coming.
:( On Aug 7, 6:17 am, "dan (ddp)" <[email protected]> wrote: > On Fri, Aug 6, 2010 at 8:17 AM, [email protected] > > > > <[email protected]> wrote: > > I installed an rpm which creates binary is /usr/sbin. As per the below > > rules which I mentioned in ossec.conf for server and clients ,It is > > not generating mails. Even I tried to touch a file inside /usr/sbin , > > not getting alerts :( > > > Snippet from ossec.conf > > > <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</ > > directories> > > <directories realtime="yes" check_all="yes">/bin,/sbin</ > > directories> > > <alert_new_files>yes</alert_new_files> > > > I ran below command too. But not showing any newly created file > > > ./syscheck_control -i 017 > > > Changes for 2010 Aug 05: > > 2010 Aug 05 17:22:41,0 - /var/ossec/etc/ossec.conf > > 2010 Aug 05 17:26:49,0 - /etc/shadow- > > 2010 Aug 05 17:26:53,0 - /etc/shadow > > 2010 Aug 05 17:27:27,0 - /etc/ssh/sshd_config > > 2010 Aug 05 17:27:31,0 - /etc/passwd- > > > Changes for 2010 Aug 06: > > 2010 Aug 06 16:51:08,0 - /var/ossec/etc/ossec.conf > > 2010 Aug 06 16:55:18,0 - /etc/shadow- > > 2010 Aug 06 16:55:22,0 - /etc/shadow > > 2010 Aug 06 16:55:56,0 - /etc/ssh/sshd_config > > 2010 Aug 06 16:56:00,0 - /etc/passwd- > > > Any help will be appreciated. > > > Regards, > > Anoop Mohan > > Do you have a rule to alert on new files? > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule>
