I can't test it, but what about it doesn't work? I usually get alerts about deleted files by default. On Nov 30, 2011 6:12 AM, "Macus" <[email protected]> wrote:
> I have made the following rules in the rule/local_rule.xml in the OSSEC > manager. But it seems still cannot delete any file was deleted. How to make > it works? > > <rule id="553" level="5" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_deleted</decoded_as> > <description>File deleted. Unable to retrieve checksum.</description> > <group>syscheck,</group> > </rule> > >
