On Fri, Nov 9, 2012 at 12:41 AM, peng lin <[email protected]> wrote: > in my ossec.conf , i write > <alert_new_files>yes</alert_new_files> > <directories check_all="yes" realtime="yes" > report_changes="yes">/103</directories>
Is realtime available for your mystery platform? Are you sure it was compiled in? Do you see log messages about realtime monitoring? > in my ossec_rule.xml,i write > <rule id="554" level="8"> Don't change this. It'll be lost during an upgrade. > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> Add the following rule to local_rules.xml instead of ossec_rules.xml. > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > but in directory 103, when i set a new file ,i can't see any of alert . Is > that something my config wrong ? i used 2.7 beta 2. Has a syscheck scan already run? I'm not sure new file alerts will fire if there isn't a baseline. Did you try adding the file and forcing a rescan? Maybe realtime isn't working for this. > 2 I see about syscheck use decoder is syscheck_xxx_entry. > but in decoder.xml i can't see the decoder's config ? > how it work ? I think that's all part of the source, instead of having the separate decoders.
