Thank's Dan for responding. Yes, they all are reporting to the same manager.
I tested by adding new files. At the same time, I reduced the syscheck time down to couple of minutes but no new alerts for that file. Although, when I deleted the file and ran syscheck again, ossec log did mention that file cannot be located. *ossec-syscheckd: Error accessing 'File Name'.* Syscheck did perform a scan as I had restarted OSSEC agent after adding the file. I will try issuing a syscheck on agent from manager to see if that picks up new files. Also verified, inotify package is installed. Thank you, Abhi On Friday, June 6, 2014 10:47:37 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jun 6, 2014 at 10:28 AM, Abhi <[email protected] <javascript:>> > wrote: > > Hi, > > > > I am having some trouble in making the OSSEC's new file alerting to work > on > > a particular linux machine. We have several other systems where it's > working > > perfectly fine. The local configuration used on all these is identical. > > > > Are all of these systems (working and not working) reporting to the > same manager? > > > Is there any way I can test this manually on the machine? > > Add new files? > > > The <alert_new_files> tag has been enabled only on the OSSEC server's > conf > > file. Does it need to be added on all the local agents as well? > > The agents which are correctly reporting newly added files do not have > this > > tag. > > > > No, it should be manager only. > > Are you sure syscheck has performed a scan since the new file was > added? I'm not sure, but I don't think the new file alert works with > realtime alerts, only with actual scans. > > > Please advise. > > > > Thanks, > > > > Abhi > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
