I did some tests after making the changes (enabled alert_new_files tag in
ossec.conf and created rule level 554 in local_rules.xml) in OSSEC server.
After these changes, I still did not get any alerts for new files.
However after including the rule tag as below in the ossec.conf of the
agent, I get alerts for new files.. Is that required on the agent side as
well? I thought it was only on the server ossec.conf file. If it is not
required, what could be causing alerts not getting reported?
<rules>
<include>local_rules.xml</include>
</rules>
BTW thanks much for sending the link, that really helped.
On Thursday, August 15, 2013 6:38:02 PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Aug 15, 2013 at 9:04 AM, vtrack <[email protected] <javascript:>>
> wrote:
> >> >I forgot to make sure you modified the level of rule 554.
> >
> >
> > Could you please guide to how to verify and change the level of rule? I
> am
> > quite new to OSSEC and try to find the files that needs to be edited.
> Should
> > this be changed on the server or agent? Thanks.
> >
>
> Agents do not do analysis, so they do not need the rules.
>
> Thankfully this question has been answered enough times that I don't
> feel like I should have to answer it again:
>
> http://ossec.net/doc/faq/syscheck.html#why-aren-t-new-files-creating-an-alert
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
