On Thu, Jul 19, 2012 at 10:50 AM, Wagner Thomas <[email protected]> wrote: > 1) I created a new file. > 2) I started the syscheck and waited until it ran through. (new file alert > was sent) > 3) I deleted the new and started the syscheck again afterwards and after it > ran through I still haven't received an alert. >
It's working for me. Check alerts.log to make sure it's not being triggered. Check the syscheck db to see what the entries for the file look like (both after step 2 and after step 3(4)). > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] Im > Auftrag von dan (ddp) > Gesendet: Donnerstag, 19. Juli 2012 16:48 > An: [email protected] > Betreff: Re: [ossec-list] Detect Deleted Files > > On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas <[email protected]> > wrote: >> I've now tried it again, and again (I tried it at lot of times before) I got >> no alert caused by a deleted file. >> So if someone has an idea where my mistake could be, please be so kind and >> inform me. >> >> Thank you in anticipation. >> >> Best regards >> > > How did you test it? > >> -----Ursprüngliche Nachricht----- >> Von: [email protected] [mailto:[email protected]] >> Im Auftrag von dan (ddp) >> Gesendet: Donnerstag, 19. Juli 2012 15:42 >> An: [email protected] >> Betreff: Re: [ossec-list] Detect Deleted Files >> >> On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas <[email protected]> >> wrote: >>> Hi! >>> >>> >>> >>> I’m currently testing OSSEC 2.6 on centOS and basically it works fine. >>> >>> Setup was easy to do and also the configuration of manager and agent >>> went fine. >>> >>> >>> >>> My problem now is, that I don’t get alerts if files are deleted >>> (added and changed files are reported correctly). >>> >>> >>> >>> This is my rule for deleted files (nothing changed after the installation): >>> >>> >>> >>> <rule id="553" level="7"> >>> >>> <category>ossec</category> >>> >>> <decoded_as>syscheck_deleted</decoded_as> >>> >>> <description>File deleted. Unable to retrieve >>> checksum.</description> >>> >>> <group>syscheck,</group> >>> >>> </rule> >>> >>> >>> >>> Should it work with that rule or do I have to configure something >>> else additionally? >>> >>> >>> >>> I hope someone knows that problem and can help me! >>> >>> >>> >>> Best regards, >>> >>> Thomas >>> >>> >>> >>> >>> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >>> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >>> Handelsgericht Wien, FN 79340b >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >>> *"*"*"* >>> Notice: This e-mail contains information that is confidential and may >>> be privileged. >>> If you are not the intended recipient, please notify the sender and >>> then delete this e-mail immediately. >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >>> *"*"*"* >> >> I don't think there is any additional configuration you should have to do, >> just wait for a syscheck scan to run.
