In the logs I see that some are triggering. On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote: > > On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected] <javascript:>> > wrote: > > Hello, > > I am working on creating rules to email specific groups when a file > changes > > in a specific directory on a client. I am trying to copy the below > rules, > > but for a specific directory. I added the specific directories into the > > syscheck notation on the client side. I also found and changed the > default > > setting that the ossec server will ignore file changes after 3 changes. > I > > did not clear any counters after this applying this change. I think I > have > > the email to the specific group figured out, but I am not getting the > emails > > on the changes. The logs are showing some of the changes. > > > > Are your rules triggering? > > > Rules I am trying to copy: > > <rule id="550" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_integrity_changed</decoded_as> > > <description>Integrity checksum changed.</description> > > <group>syscheck,</group> > > </rule> > > > > <rule id="551" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > > <description>Integrity checksum changed again (2nd > time).</description> > > <group>syscheck,</group> > > </rule> > > > > <rule id="552" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > > <description>Integrity checksum changed again (3rd > time).</description> > > <group>syscheck,</group> > > </rule> > > > > <rule id="553" level="7"> > > <category>ossec</category> > > <decoded_as>syscheck_deleted</decoded_as> > > <description>File deleted. Unable to retrieve > checksum.</description> > > <group>syscheck,</group> > > </rule> > > > > <rule id="554" level="0"> > > <category>ossec</category> > > <decoded_as>syscheck_new_entry</decoded_as> > > <description>File added to the system.</description> > > <group>syscheck,</group> > > </rule> > > > > <rule id="555" level="7"> > > <if_sid>500</if_sid> > > <match>^ossec: agentless: </match> > > <description>Integrity checksum for agentless device > > changed.</description> > > <group>syscheck,agentless</group> > > </rule> > > > > > > Different trial rules : > > <rule id="100001" level="13"> > > <if_sid>550</if_sid> > > <match>DIRECTORY</match> > > <description>A file has changed in DIRECTORY</description> > > </rule> > > > > <rule id="100002" level="13"> > > <if_sid>551</if_sid> > > <match>DIRECTORY</match> > > <description>A file has changed (2nd time) in > DIRECTORY</description> > > </rule> > > > > <rule id="100003" level="13"> > > <if_sid>552</if_sid> > > <match>DIRECTORY</match> > > <description>A file has changed (3rd time) in > DIRECTORY</description> > > </rule> > > > > <rule id="100004" level="13"> > > <if_sid>553</if_sid> > > <match>DIRECTORY</match> > > <description>A file was deleted in DIRECTORY</description> > > </rule> > > > > <rule id="100005" level="13"> > > <if_sid>554</if_sid> > > <match>DIRECTORY</match> > > <description>A file was added in DIRECTORY</description> > > </rule> > > > > <rule id="100006" level="13"> > > <if_sid>555</if_sid> > > <match>DIRECTORY</match> > > <description>Integrity checksum of a file was changed in > > DIRECTORY</description> > > </rule> > > > > > > <rule id="100011" level="13"> > > <decoded_as>syscheck_integrity_changed</decoded_as> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed.</description> > > </rule> > > > > <rule id="100012" level="13"> > > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed again (2nd > time).</description> > > </rule> > > > > <rule id="100013" level="13"> > > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed again (3rd > time).</description> > > </rule> > > > > <rule id="100014" level="13"> > > <decoded_as>syscheck_deleted</decoded_as> > > <match>DIRECTORY</match> > > <description>File deleted. Unable to retrieve > checksum.</description> > > </rule> > > > > <rule id="100015" level="13"> > > <decoded_as>syscheck_new_entry</decoded_as> > > <match>DIRECTORY</match> > > <description>File added to the system.</description> > > </rule> > > > > > > <rule id="100021" level="13"> > > <if_matched_group>syscheck</if_matched_group> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed.</description> > > </rule> > > > > <rule id="100022" level="13"> > > <if_matched_group>syscheck</if_matched_group> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed again (2nd > time).</description> > > </rule> > > > > <rule id="100023" level="13"> > > <if_matched_group>syscheck</if_matched_group> > > <match>DIRECTORY</match> > > <description>Integrity checksum changed again (3rd > time).</description> > > </rule> > > > > <rule id="100024" level="13"> > > <if_matched_group>syscheck</if_matched_group> > > <match>DIRECTORY</match> > > <description>File deleted. Unable to retrieve > checksum.</description> > > </rule> > > > > <rule id="100025" level="13"> > > <if_matched_group>syscheck</if_matched_group> > > <match>DIRECTORY</match> > > <description>File added to the system.</description> > > </rule> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
