On Mon, Dec 26, 2011 at 6:21 AM, Daniel Shreterford <[email protected]> wrote: > I tested it on my local linux server it's work! But it still dont work > with windows agents. > I have compared two text syschek databases,first from windows agent > pc,second from linux server,new file in my linux server was marked > like that "+++"... Can't understand anything... >
If it's working with one system, it should work with all of them. Are you sure the directory you are adding the new files to is being monitored by syscheck? What options are being used in the "<directories" entry? Try restarting the syscheck processes on the agent. Anything interesting in the ossec.log? This is working fine for me with a number of *nix agents, but troubleshooting Windows issues is a bit difficult. I don't think there should be anything Windows specific here, but you never know. > > On 12/26/11, Daniel Shreterford <[email protected]> wrote: >> Yes i added it in manager's ossec.conf in var/ossec/etc/ >> I added a new files into my test directory (which i determinate in >> agent ossec.conf) and restart ossec's process. >> Also i changed some files in my directory- i get alerts only that md5 >> and sha1 cheksums was changed. >> I'm not shure, maybe i have error in my local_rules.xml cause' i have >>> - <rule id=”554″ level=”7" overwrite="yes"″> >>> <category>ossec</category> >>> <decoded_as>syscheck_new_entry</decoded_as> >>> <description>File added to the system.</description> >>> <group>syscheck,</group> >>> </rule> >> >> between <group name="local,"><group> tags. >> >> On 12/26/11, dan (ddp) <[email protected]> wrote: >>> On Mon, Dec 26, 2011 at 1:02 AM, Daniel Shreterford >>> <[email protected]> wrote: >>>> Hi all! i have installed and configured ossec hids 2.6,but it still >>>> doesn't work fine. >>>> More details: i edited a ossec.conf like that - <alert_new_files>yes</ >>>> alert_new_files>,and added next lines into local.rules.xml >>>> >>> >>> Which ossec.conf? You needed to add this to the manager's ossec.conf. >>> >>>> - <rule id=”554″ level=”7" overwrite="yes"″> >>>> <category>ossec</category> >>>> <decoded_as>syscheck_new_entry</decoded_as> >>>> <description>File added to the system.</description> >>>> <group>syscheck,</group> >>>> </rule> >>> >>> Did you restart the manager's ossec processes after making these changes? >>> >>>> Also i configured ossec for e-mail alerting-it's work with other >>>> alerts types. >>>> Server side work on Debian Squeeze and agent on windows 7. >>>> I looked to integrity syscheck text database and not found special >>>> mark for new files. New files was marked just the other files- +++ >>>> (first column in var\ossec\queue\syscheck-"you client" ). >>>> Does somebody has this problem? >>>> i have tried this >>>> http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/ >>>> but dont get any results. >>> >>> Did a syscheck scan run after you made the changes? Are you sure there >>> were new files in the appropriate directories? >>> >>
