Hi All, I am also facing the same problem. Seems like I need to create a custom script to check deleted files and alert.
Regards, Vikas On Thursday, 19 July 2012 20:29:49 UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Jul 19, 2012 at 10:50 AM, Wagner Thomas > <[email protected] <javascript:>> wrote: > > 1) I created a new file. > > 2) I started the syscheck and waited until it ran through. (new file > alert was sent) > > 3) I deleted the new and started the syscheck again afterwards and after > it ran through I still haven't received an alert. > > > > It's working for me. Check alerts.log to make sure it's not being > triggered. > Check the syscheck db to see what the entries for the file look like > (both after step 2 and after step 3(4)). > > > -----Ursprüngliche Nachricht----- > > Von: [email protected] <javascript:> [mailto: > [email protected] <javascript:>] Im Auftrag von dan (ddp) > > Gesendet: Donnerstag, 19. Juli 2012 16:48 > > An: [email protected] <javascript:> > > Betreff: Re: [ossec-list] Detect Deleted Files > > > > On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas > > <[email protected]<javascript:>> > wrote: > >> I've now tried it again, and again (I tried it at lot of times before) > I got no alert caused by a deleted file. > >> So if someone has an idea where my mistake could be, please be so kind > and inform me. > >> > >> Thank you in anticipation. > >> > >> Best regards > >> > > > > How did you test it? > > > >> -----Ursprüngliche Nachricht----- > >> Von: [email protected] <javascript:> [mailto: > [email protected] <javascript:>] > >> Im Auftrag von dan (ddp) > >> Gesendet: Donnerstag, 19. Juli 2012 15:42 > >> An: [email protected] <javascript:> > >> Betreff: Re: [ossec-list] Detect Deleted Files > >> > >> On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas > >> <[email protected]<javascript:>> > wrote: > >>> Hi! > >>> > >>> > >>> > >>> I’m currently testing OSSEC 2.6 on centOS and basically it works fine. > >>> > >>> Setup was easy to do and also the configuration of manager and agent > >>> went fine. > >>> > >>> > >>> > >>> My problem now is, that I don’t get alerts if files are deleted > >>> (added and changed files are reported correctly). > >>> > >>> > >>> > >>> This is my rule for deleted files (nothing changed after the > installation): > >>> > >>> > >>> > >>> <rule id="553" level="7"> > >>> > >>> <category>ossec</category> > >>> > >>> <decoded_as>syscheck_deleted</decoded_as> > >>> > >>> <description>File deleted. Unable to retrieve > >>> checksum.</description> > >>> > >>> <group>syscheck,</group> > >>> > >>> </rule> > >>> > >>> > >>> > >>> Should it work with that rule or do I have to configure something > >>> else additionally? > >>> > >>> > >>> > >>> I hope someone knows that problem and can help me! > >>> > >>> > >>> > >>> Best regards, > >>> > >>> Thomas > >>> > >>> > >>> > >>> > >>> > >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >>> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > >>> Handelsgericht Wien, FN 79340b > >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >>> *"*"*"* > >>> Notice: This e-mail contains information that is confidential and may > >>> be privileged. > >>> If you are not the intended recipient, please notify the sender and > >>> then delete this e-mail immediately. > >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > >>> *"*"*"* > >> > >> I don't think there is any additional configuration you should have to > do, just wait for a syscheck scan to run. >
