On Wed, Oct 3, 2012 at 11:57 AM, vicky ... <[email protected]> wrote: > I am sorry, I didn't read your comments completely. I am not sure how to dig
Wow. Now I'm not sure why I > the issue as even alerts.log does not show up the deleted file. Not sure > whether this is a bug. Can you help me to pin down the issue ? > No I can't. I don't > On Wednesday, 3 October 2012 21:16:13 UTC+5:30, dan (ddpbsd) wrote: >> >> On Wed, Oct 3, 2012 at 11:18 AM, vicky ... <[email protected]> wrote: >> > Hi All, >> > >> > I am also facing the same problem. Seems like I need to create a custom >> > script to check deleted files and alert. >> > >> > Regards, >> > Vikas >> > >> >> Or you could track down the problem and help us fix it. It's tough to >> fix a problem we can't reproduce, especially when everyone who can >> isn't interested in helping. >> >> > >> > On Thursday, 19 July 2012 20:29:49 UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jul 19, 2012 at 10:50 AM, Wagner Thomas >> >> <[email protected]> wrote: >> >> > 1) I created a new file. >> >> > 2) I started the syscheck and waited until it ran through. (new file >> >> > alert was sent) >> >> > 3) I deleted the new and started the syscheck again afterwards and >> >> > after >> >> > it ran through I still haven't received an alert. >> >> > >> >> >> >> It's working for me. Check alerts.log to make sure it's not being >> >> triggered. >> >> Check the syscheck db to see what the entries for the file look like >> >> (both after step 2 and after step 3(4)). >> >> >> >> > -----Ursprüngliche Nachricht----- >> >> > Von: [email protected] [mailto:[email protected]] Im >> >> > Auftrag von dan (ddp) >> >> > Gesendet: Donnerstag, 19. Juli 2012 16:48 >> >> > An: [email protected] >> >> > Betreff: Re: [ossec-list] Detect Deleted Files >> >> > >> >> > On Thu, Jul 19, 2012 at 10:16 AM, Wagner Thomas >> >> > <[email protected]> >> >> > wrote: >> >> >> I've now tried it again, and again (I tried it at lot of times >> >> >> before) >> >> >> I got no alert caused by a deleted file. >> >> >> So if someone has an idea where my mistake could be, please be so >> >> >> kind >> >> >> and inform me. >> >> >> >> >> >> Thank you in anticipation. >> >> >> >> >> >> Best regards >> >> >> >> >> > >> >> > How did you test it? >> >> > >> >> >> -----Ursprüngliche Nachricht----- >> >> >> Von: [email protected] [mailto:[email protected]] >> >> >> Im Auftrag von dan (ddp) >> >> >> Gesendet: Donnerstag, 19. Juli 2012 15:42 >> >> >> An: [email protected] >> >> >> Betreff: Re: [ossec-list] Detect Deleted Files >> >> >> >> >> >> On Thu, Jul 19, 2012 at 9:29 AM, Wagner Thomas >> >> >> <[email protected]> >> >> >> wrote: >> >> >>> Hi! >> >> >>> >> >> >>> >> >> >>> >> >> >>> I’m currently testing OSSEC 2.6 on centOS and basically it works >> >> >>> fine. >> >> >>> >> >> >>> Setup was easy to do and also the configuration of manager and >> >> >>> agent >> >> >>> went fine. >> >> >>> >> >> >>> >> >> >>> >> >> >>> My problem now is, that I don’t get alerts if files are deleted >> >> >>> (added and changed files are reported correctly). >> >> >>> >> >> >>> >> >> >>> >> >> >>> This is my rule for deleted files (nothing changed after the >> >> >>> installation): >> >> >>> >> >> >>> >> >> >>> >> >> >>> <rule id="553" level="7"> >> >> >>> >> >> >>> <category>ossec</category> >> >> >>> >> >> >>> <decoded_as>syscheck_deleted</decoded_as> >> >> >>> >> >> >>> <description>File deleted. Unable to retrieve >> >> >>> checksum.</description> >> >> >>> >> >> >>> <group>syscheck,</group> >> >> >>> >> >> >>> </rule> >> >> >>> >> >> >>> >> >> >>> >> >> >>> Should it work with that rule or do I have to configure something >> >> >>> else additionally? >> >> >>> >> >> >>> >> >> >>> >> >> >>> I hope someone knows that problem and can help me! >> >> >>> >> >> >>> >> >> >>> >> >> >>> Best regards, >> >> >>> >> >> >>> Thomas >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> >> >>> Handelsgericht Wien, FN 79340b >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* >> >> >>> Notice: This e-mail contains information that is confidential and >> >> >>> may >> >> >>> be privileged. >> >> >>> If you are not the intended recipient, please notify the sender and >> >> >>> then delete this e-mail immediately. >> >> >>> >> >> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" >> >> >>> *"*"*"* >> >> >> >> >> >> I don't think there is any additional configuration you should have >> >> >> to >> >> >> do, just wait for a syscheck scan to run.
