On Fri, Jun 6, 2014 at 11:49 AM, Abhi <[email protected]> wrote: > Thank's Dan for responding. > > Yes, they all are reporting to the same manager. > > I tested by adding new files. At the same time, I reduced the syscheck time > down to couple of minutes but no new alerts for that file. Although, when I > deleted the file and ran syscheck again, ossec log did mention that file > cannot be located. ossec-syscheckd: Error accessing 'File Name'. >
I feel like reducing the syscheck frequency too low causes issues. Also, make sure the scan finishes. You can also turn on the log all option. I think syscheck events are recorded in the archives.log. You can also manually check the syscheck database (/var/ossec/queue/syscheck/something) for that agent to see if the file is picked up. Check it before and after. > > Syscheck did perform a scan as I had restarted OSSEC agent after adding the > file. I will try issuing a syscheck on agent from manager to see if that > picks up new files. > > Also verified, inotify package is installed. > > Thank you, > > Abhi > > > > > On Friday, June 6, 2014 10:47:37 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jun 6, 2014 at 10:28 AM, Abhi <[email protected]> wrote: >> > Hi, >> > >> > I am having some trouble in making the OSSEC's new file alerting to work >> > on >> > a particular linux machine. We have several other systems where it's >> > working >> > perfectly fine. The local configuration used on all these is identical. >> > >> >> Are all of these systems (working and not working) reporting to the >> same manager? >> >> > Is there any way I can test this manually on the machine? >> >> Add new files? >> >> > The <alert_new_files> tag has been enabled only on the OSSEC server's >> > conf >> > file. Does it need to be added on all the local agents as well? >> > The agents which are correctly reporting newly added files do not have >> > this >> > tag. >> > >> >> No, it should be manager only. >> >> Are you sure syscheck has performed a scan since the new file was >> added? I'm not sure, but I don't think the new file alert works with >> realtime alerts, only with actual scans. >> >> > Please advise. >> > >> > Thanks, >> > >> > Abhi >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
