I've now tried it again, and again (I tried it at lot of times before) I got no alert caused by a deleted file. So if someone has an idea where my mistake could be, please be so kind and inform me.
Thank you in anticipation. Best regards -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von dan (ddp) Gesendet: Donnerstag, 19. Juli 2012 15:42 An: [email protected] Betreff: Re: [ossec-list] Detect Deleted Files On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas <[email protected]> wrote: > Hi! > > > > I’m currently testing OSSEC 2.6 on centOS and basically it works fine. > > Setup was easy to do and also the configuration of manager and agent > went fine. > > > > My problem now is, that I don’t get alerts if files are deleted (added > and changed files are reported correctly). > > > > This is my rule for deleted files (nothing changed after the installation): > > > > <rule id="553" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_deleted</decoded_as> > > <description>File deleted. Unable to retrieve > checksum.</description> > > <group>syscheck,</group> > > </rule> > > > > Should it work with that rule or do I have to configure something else > additionally? > > > > I hope someone knows that problem and can help me! > > > > Best regards, > > Thomas > > > > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > *"*"*"* > Notice: This e-mail contains information that is confidential and may > be privileged. > If you are not the intended recipient, please notify the sender and > then delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > *"*"*"* I don't think there is any additional configuration you should have to do, just wait for a syscheck scan to run.
