Very good point, probably just because I am new to OSSEC so I am still learning. I will do what you listed and let you know if the problem is fixed thanks.
On Monday, October 7, 2013 3:26:35 PM UTC-4, 22emitch wrote: > > I am working with OSSEC version 2.7 and I am having a problem getting > OSSEC to report on new files created on the system. I know that rule 554 is > set to off by default and I have already done all the steps listed on the > OSSEC website to turn it on but I am still not getting alerts. I added > <alert_new_files>yes</alert_new_files> under the syscheck section. Just to > clarify I have been making all these changes on the OSSEC server not the > OSSEC agent. The question I have is when I am making changes to rule 554 do > I change it under the rules/ossec_rules.xml or do I change it under > local_rules.xml. Right now I have the rule changed under > rules/ossec_rules.xml and it is not alerting me for new files still even > though I have the rule set up like this > > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group></rule> > > I have read to change it under rules/ossec_rules.xml or local_rules.xml in > many different forums. If I set rule 554 under rules/ossec_rules.xml back to > default and then change local_rules.xml to > alert on new files and change rule 554 under there then will it send me > alerts on new files? > > Thank you for your help in advance > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
