I am working with OSSEC version 2.7 and I am having a problem getting OSSEC to report on new files created on the system. I know that rule 554 is set to off by default and I have already done all the steps listed on the OSSEC website to turn it on but I am still not getting alerts. I added <alert_new_files>yes</alert_new_files> under the syscheck section. Just to clarify I have been making all these changes on the OSSEC server not the OSSEC agent. The question I have is when I am making changes to rule 554 do I change it under the rules/ossec_rules.xml or do I change it under local_rules.xml. Right now I have the rule changed under rules/ossec_rules.xml and it is not alerting me for new files still even though I have the rule set up like this
<rule id="554" level="10" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group></rule> I have read to change it under rules/ossec_rules.xml or local_rules.xml in many different forums. If I set rule 554 under rules/ossec_rules.xml back to default and then change local_rules.xml to alert on new files and change rule 554 under there then will it send me alerts on new files? Thank you for your help in advance -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
