Ok, so it turns out my agents are now alerting on new files when the syscheck runs, as expected. ie. I don't have to modify the file to get the alert. Perhaps I just wasn't being patient enough during testing.
Thanks for the clarification re: realtime alerting on new files and advice re: ossec_rules.xml On Jan 4, 1:25 pm, "dan (ddp)" <[email protected]> wrote: > On Wed, Jan 4, 2012 at 6:12 AM, Paul <[email protected]> wrote: > > Hello all, > > > I am having a few problems with the behaviour of OSSEC's new file > > alerting on Windows agents. > > > We are wanting to do real-time alerting of files being added to > > particular directories. However, I'm getting some slightly unexpected > > Realtime support does not include alerting on new files. > > > behaviour. I can get new file alerts on the manager, but in order to > > get them, I need to: > > - Create the file > > - Wait for syscheck to run > > - Modify the file. > > You shouldn't have to modify the file. It works properly on *nix > hosts, but I haven't checked Windows. I'm not sure why it wouldn't > work there. > > > I then get both a 'file creation' alert and a 'file modified' alert - > > the file creation alert is timestamped at the time the syscheck ran, > > and the modified alert at the time the file was modified. > > Unfortunately the directories we’re trying to monitor for new files > > are never changed - only added to - so we are not getting any alerts. > > > I have enabled new file alerts in ossec.conf on the manager, and > > changed rule 554 in ossec_rules.xml to be level 7. > > Don't change it in ossec_rules.xml, you'll lose the change when you upgrade. > > > > > > > > > Here is the syscheck section from ossec.conf on the Agent: > > <syscheck> > > <disabled>no</disabled> > > <directories realtime="yes" check_all="yes">C:\MyDirToMonitor</ > > directories> > > <auto_ignore>no</auto_ignore> > > <alert_new_files>yes</alert_new_files> > > <frequency>21600</frequency> > > </syscheck> > > > Is this expected behaviour? Any suggestions on how to make this work? > > > Many thanks, > > Paul.
