1) I created a new file. 2) I started the syscheck and waited until it ran through. (new file alert was sent) 3) I deleted the new and started the syscheck again afterwards and after it ran through I still haven't received an alert.
-----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von dan (ddp) Gesendet: Donnerstag, 19. Juli 2012 16:48 An: [email protected] Betreff: Re: [ossec-list] Detect Deleted Files On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas <[email protected]> wrote: > I've now tried it again, and again (I tried it at lot of times before) I got > no alert caused by a deleted file. > So if someone has an idea where my mistake could be, please be so kind and > inform me. > > Thank you in anticipation. > > Best regards > How did you test it? > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] > Im Auftrag von dan (ddp) > Gesendet: Donnerstag, 19. Juli 2012 15:42 > An: [email protected] > Betreff: Re: [ossec-list] Detect Deleted Files > > On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas <[email protected]> > wrote: >> Hi! >> >> >> >> I’m currently testing OSSEC 2.6 on centOS and basically it works fine. >> >> Setup was easy to do and also the configuration of manager and agent >> went fine. >> >> >> >> My problem now is, that I don’t get alerts if files are deleted >> (added and changed files are reported correctly). >> >> >> >> This is my rule for deleted files (nothing changed after the installation): >> >> >> >> <rule id="553" level="7"> >> >> <category>ossec</category> >> >> <decoded_as>syscheck_deleted</decoded_as> >> >> <description>File deleted. Unable to retrieve >> checksum.</description> >> >> <group>syscheck,</group> >> >> </rule> >> >> >> >> Should it work with that rule or do I have to configure something >> else additionally? >> >> >> >> I hope someone knows that problem and can help me! >> >> >> >> Best regards, >> >> Thomas >> >> >> >> >> >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> Handelsgericht Wien, FN 79340b >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> *"*"*"* >> Notice: This e-mail contains information that is confidential and may >> be privileged. >> If you are not the intended recipient, please notify the sender and >> then delete this e-mail immediately. >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> *"*"*"* > > I don't think there is any additional configuration you should have to do, > just wait for a syscheck scan to run.
