in my ossec.conf , i write
<alert_new_files>yes</alert_new_files>
<directories check_all="yes" realtime="yes"
report_changes="yes">/103</directories>
in my ossec_rule.xml,i write
<rule id="554" level="8">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
but in directory 103, when i set a new file ,i can't see any of alert . Is
that something my config wrong ? i used 2.7 beta 2.
2 I see about syscheck use decoder is syscheck_xxx_entry.
but in decoder.xml i can't see the decoder's config ?
how it work ?
