Hi All,
I need a second set of eyes. For some reason I can't seem to get Ossec to
generate alerts for syscheck rules any longer. I can use syscheck_control to
see the files are being recognized as changed, but no actual alerts are being
generated.
I'm using Ossec 2.6 on Linux for the collector server and testing using a
variety of clients. I'm including all of the standard rules.
Here is part of my ossec.conf on the collector server:
<syscheck>
<frequency>300</frequency>
<auto_ignore>no</auto_ignore>
<directories report_changes="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes"
check_all="yes">/bin,/sbin</directories>
</syscheck>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
I'm sure I'm just missing something, but I simply can't find it so any help
would be greatly appreciated.
Patrick Swartz
-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.
