On Mon, Oct 7, 2013 at 3:26 PM, 22emitch <[email protected]> wrote: > I am working with OSSEC version 2.7 and I am having a problem getting OSSEC > to report on new files created on the system. I know that rule 554 is set to > off by default and I have already done all the steps listed on the OSSEC > website to turn it on but I am still not getting alerts. I added > <alert_new_files>yes</alert_new_files> under the syscheck section. Just to > clarify I have been making all these changes on the OSSEC server not the > OSSEC agent. The question I have is when I am making changes to rule 554 do > I change it under the rules/ossec_rules.xml or do I change it under > local_rules.xml. Right now I have the rule changed under > rules/ossec_rules.xml and it is not alerting me for new files still even > though I have the rule set up like this > > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > I have read to change it under rules/ossec_rules.xml or local_rules.xml in > many different forums. If I set rule 554 under rules/ossec_rules.xml back to > default and then change local_rules.xml to > alert on new files and change rule 554 under there then will it send me > alerts on new files? > > Thank you for your help in advance > >
http://www.ossec.net/doc/faq/syscheck.html#why-aren-t-new-files-creating-an-alert If the official documentation says to add it to local_rules.xml, why would you care what idiots on forums say? Did you restart the ossec processes on the server? Did a complete baseline syscheck scan complete before you started testing? Did syscheck complete a scan after the new file was put in place? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
