I tested it on my local linux server it's work! But it still dont work with windows agents. I have compared two text syschek databases,first from windows agent pc,second from linux server,new file in my linux server was marked like that "+++"... Can't understand anything...
On 12/26/11, Daniel Shreterford <[email protected]> wrote: > Yes i added it in manager's ossec.conf in var/ossec/etc/ > I added a new files into my test directory (which i determinate in > agent ossec.conf) and restart ossec's process. > Also i changed some files in my directory- i get alerts only that md5 > and sha1 cheksums was changed. > I'm not shure, maybe i have error in my local_rules.xml cause' i have >> - <rule id=”554″ level=”7" overwrite="yes"″> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <description>File added to the system.</description> >> <group>syscheck,</group> >> </rule> > > between <group name="local,"><group> tags. > > On 12/26/11, dan (ddp) <[email protected]> wrote: >> On Mon, Dec 26, 2011 at 1:02 AM, Daniel Shreterford >> <[email protected]> wrote: >>> Hi all! i have installed and configured ossec hids 2.6,but it still >>> doesn't work fine. >>> More details: i edited a ossec.conf like that - <alert_new_files>yes</ >>> alert_new_files>,and added next lines into local.rules.xml >>> >> >> Which ossec.conf? You needed to add this to the manager's ossec.conf. >> >>> - <rule id=”554″ level=”7" overwrite="yes"″> >>> <category>ossec</category> >>> <decoded_as>syscheck_new_entry</decoded_as> >>> <description>File added to the system.</description> >>> <group>syscheck,</group> >>> </rule> >> >> Did you restart the manager's ossec processes after making these changes? >> >>> Also i configured ossec for e-mail alerting-it's work with other >>> alerts types. >>> Server side work on Debian Squeeze and agent on windows 7. >>> I looked to integrity syscheck text database and not found special >>> mark for new files. New files was marked just the other files- +++ >>> (first column in var\ossec\queue\syscheck-"you client" ). >>> Does somebody has this problem? >>> i have tried this >>> http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/ >>> but dont get any results. >> >> Did a syscheck scan run after you made the changes? Are you sure there >> were new files in the appropriate directories? >> >
