On Wed, Jan 4, 2012 at 6:12 AM, Paul <[email protected]> wrote: > Hello all, > > I am having a few problems with the behaviour of OSSEC's new file > alerting on Windows agents. > > We are wanting to do real-time alerting of files being added to > particular directories. However, I'm getting some slightly unexpected
Realtime support does not include alerting on new files. > behaviour. I can get new file alerts on the manager, but in order to > get them, I need to: > - Create the file > - Wait for syscheck to run > - Modify the file. > You shouldn't have to modify the file. It works properly on *nix hosts, but I haven't checked Windows. I'm not sure why it wouldn't work there. > I then get both a 'file creation' alert and a 'file modified' alert - > the file creation alert is timestamped at the time the syscheck ran, > and the modified alert at the time the file was modified. > Unfortunately the directories we’re trying to monitor for new files > are never changed - only added to - so we are not getting any alerts. > > I have enabled new file alerts in ossec.conf on the manager, and > changed rule 554 in ossec_rules.xml to be level 7. > Don't change it in ossec_rules.xml, you'll lose the change when you upgrade. > Here is the syscheck section from ossec.conf on the Agent: > <syscheck> > <disabled>no</disabled> > <directories realtime="yes" check_all="yes">C:\MyDirToMonitor</ > directories> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <frequency>21600</frequency> > </syscheck> > > Is this expected behaviour? Any suggestions on how to make this work? > > Many thanks, > Paul.
