On Fri, Aug 23, 2013 at 9:51 AM, vtrack <[email protected]> wrote: > > >> Did you restart the OSSEC processes on the server after making these >> changes? You made the changes on the server, right? Did a full >> syscheck scan on the agent complete? Were the files added to the >> syscheck db (on the server in >> /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? >> > > Yes, have restarted OSSEC control service (/var/ossec/bin/ossec-control) > after the changes on the OSSEC server conf file... And verified the syscheck > db, and shows the new file entry in the file. >
Perhaps your overwrite of 554 didn't take. I can't think of another reason it wouldn't alert then. >> >> > <rules> >> > <include>local_rules.xml</include> >> > </rules> >> > >> >> You added the above to the agent's ossec.conf? Why? Are all of the >> necessary processes still running after restart? >> > New files alerts were only reported when the rule was added to agent's > ossec.conf file. If i remove the rule tag from agent's ossec conf, alerts > will not be reported.. I am not sure why is that case. If I am right, the > rules only require to be at the server side.. The services on both server > and agent appears to running fine... > If that configuration does anything to your "agent" installation, it's probably not an agent installation. There is absolutely no benefit of defining rules on agents. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
