On Wed, Aug 14, 2013 at 10:24 AM, vtrack <[email protected]> wrote: > Hi, > > I am finding an issue where no alerts are being reported for new files > created on the client systems. I have enabled syscheck for alert_new_files. > Also the smtp configuration on the server ossec.conf file seems fine as I am > getting other alerts on checksum changes of few files. > > Tried created files under /usr/bin, /bin of the client system, but no > alerts. what could be preventing these to be reported? Any help? >
Has syscheck already performed a baseline scan? Has a scan occurred/finished since the file was created? Does the new file exist in the syscheck db (/var/ossec/queue/syscheck/SOMETHING)? > Configuration on OSSEC server (ossec.conf) : > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <smtp_server>smtp.test.com</smtp_server> > <email_to>[email protected]</email_to> > <email_from>[email protected]</email_from> > <email_maxperhour>20</email_maxperhour> > </global> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>1800</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories report_changes='yes' > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes='yes' > check_all="yes">/bin,/sbin</directories> > > <!-- Alert if a new file is created --> > <alert_new_files>yes</alert_new_files> > > > Configuration on the client (ossec.conf) : > > <ossec_config> > <client> > <server-ip>192.168.1.100</server-ip> > </client> > > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>1800</frequency> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
