Apologies dan (ddpbsd) & Rogue Bull Machine: Windows Server 2008 R2 Standard. Ossec server is installed on Alienvault sensor, and this resides in same subnet.
I am trying to monitor a folder so have kept below config on agents ossec.conf <syscheck> <frequency>180</frequency> <disabled>no</disabled> <alert_new_files>yes</alert_new_files> <directories check_all="yes">E:\SOC_FIMTest</directories> </syscheck> Which seems to be working fine as I am receiving alerts if i make changes in any file created under this folder... also changed the rules level on ossec server id = "553" in ossec_rules.xml Do we need anything else to be done? I hope this time i have provided enough of information. On Thursday, July 19, 2012 6:59:47 PM UTC+5:30, Wagner Thomas wrote: > > Hi! > > > > I’m currently testing OSSEC 2.6 on centOS and basically it works fine. > > Setup was easy to do and also the configuration of manager and agent went > fine. > > > > My problem now is, that I don’t get alerts if files are deleted (added and > changed files are reported correctly). > > > > This is my rule for deleted files (nothing changed after the installation): > > > > <rule id="553" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_deleted</decoded_as> > > <description>File deleted. Unable to retrieve checksum.</description> > > <group>syscheck,</group> > > </rule> > > > > Should it work with that rule or do I have to configure something else > additionally? > > > > I hope someone knows that problem and can help me! > > > > Best regards, > > Thomas > > > > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
