Did you restart the OSSEC processes on the server after making these > changes? You made the changes on the server, right? Did a full > syscheck scan on the agent complete? Were the files added to the > syscheck db (on the server in > /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? > > Yes, have restarted OSSEC control service (/var/ossec/bin/ossec-control) after the changes on the OSSEC server conf file... And verified the syscheck db, and shows the new file entry in the file.
> > <rules> > > <include>local_rules.xml</include> > > </rules> > > > > You added the above to the agent's ossec.conf? Why? Are all of the > necessary processes still running after restart? > > New files alerts were only reported when the rule was added to agent's ossec.conf file. If i remove the rule tag from agent's ossec conf, alerts will not be reported.. I am not sure why is that case. If I am right, the rules only require to be at the server side.. The services on both server and agent appears to running fine... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
