On Mon, Jul 1, 2013 at 8:57 AM, David Blanton <[email protected]> wrote: >>Another approach would be to have OSSEC monitor for new files and then >> >> >have an active response which restarts the OSSEC agent. If you have a >> >somewhat short syscheck scan interval then you can automatically be >> >monitoring new files pretty quickly. > > > Michael, would you mind elaborating on this? How would I have OSSEC monitor > for new files, I have not seen xml code that would allow me to do this in > the agent.conf file for either <local> or <directories>. >
Add <alert_new_files>yes</alert_new_files> to the server's ossec.conf in the syscheck section. On the agent/agent.conf configure the system to look at all of the files (use a glob or something). Make sure active response is enabled on the agent and server. Configure a rule to trigger when a new file is created in that log directory. Configure an AR to trigger when the new rule fires. This AR should restart the local ossec processes. > active-response can restart OSSEC? > Yes. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
