On Fri, Aug 23, 2013 at 4:47 AM, vtrack <[email protected]> wrote: > I did some tests after making the changes (enabled alert_new_files tag in > ossec.conf and created rule level 554 in local_rules.xml) in OSSEC server. > After these changes, I still did not get any alerts for new files. > > However after including the rule tag as below in the ossec.conf of the > agent, I get alerts for new files.. Is that required on the agent side as > well? I thought it was only on the server ossec.conf file. If it is not > required, what could be causing alerts not getting reported? >
Did you restart the OSSEC processes on the server after making these changes? You made the changes on the server, right? Did a full syscheck scan on the agent complete? Were the files added to the syscheck db (on the server in /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? > <rules> > <include>local_rules.xml</include> > </rules> > You added the above to the agent's ossec.conf? Why? Are all of the necessary processes still running after restart? > BTW thanks much for sending the link, that really helped. > > On Thursday, August 15, 2013 6:38:02 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Thu, Aug 15, 2013 at 9:04 AM, vtrack <[email protected]> wrote: >> >> >I forgot to make sure you modified the level of rule 554. >> > >> > >> > Could you please guide to how to verify and change the level of rule? I >> > am >> > quite new to OSSEC and try to find the files that needs to be edited. >> > Should >> > this be changed on the server or agent? Thanks. >> > >> >> Agents do not do analysis, so they do not need the rules. >> >> Thankfully this question has been answered enough times that I don't >> feel like I should have to answer it again: >> >> http://ossec.net/doc/faq/syscheck.html#why-aren-t-new-files-creating-an-alert >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
