Hi Dan,
After enabling "logall" option on the manager, Checked the latest modified files for today in syscheck database and there's no listing of the files I added. Also checked the archives and searched for that file name.. no entry.. syscheck time is set to 4 hours and I checked for files only after it has completed syscheck and forwarded the database to manager. On Friday, June 6, 2014 11:52:48 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jun 6, 2014 at 11:49 AM, Abhi <[email protected] <javascript:>> > wrote: > > Thank's Dan for responding. > > > > Yes, they all are reporting to the same manager. > > > > I tested by adding new files. At the same time, I reduced the syscheck > time > > down to couple of minutes but no new alerts for that file. Although, > when I > > deleted the file and ran syscheck again, ossec log did mention that file > > cannot be located. ossec-syscheckd: Error accessing 'File Name'. > > > > I feel like reducing the syscheck frequency too low causes issues. > Also, make sure the scan finishes. > You can also turn on the log all option. I think syscheck events are > recorded in the archives.log. You can also manually check the syscheck > database (/var/ossec/queue/syscheck/something) for that agent to see > if the file is picked up. Check it before and after. > > > > > Syscheck did perform a scan as I had restarted OSSEC agent after adding > the > > file. I will try issuing a syscheck on agent from manager to see if that > > picks up new files. > > > > Also verified, inotify package is installed. > > > > Thank you, > > > > Abhi > > > > > > > > > > On Friday, June 6, 2014 10:47:37 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jun 6, 2014 at 10:28 AM, Abhi <[email protected]> wrote: > >> > Hi, > >> > > >> > I am having some trouble in making the OSSEC's new file alerting to > work > >> > on > >> > a particular linux machine. We have several other systems where it's > >> > working > >> > perfectly fine. The local configuration used on all these is > identical. > >> > > >> > >> Are all of these systems (working and not working) reporting to the > >> same manager? > >> > >> > Is there any way I can test this manually on the machine? > >> > >> Add new files? > >> > >> > The <alert_new_files> tag has been enabled only on the OSSEC server's > >> > conf > >> > file. Does it need to be added on all the local agents as well? > >> > The agents which are correctly reporting newly added files do not > have > >> > this > >> > tag. > >> > > >> > >> No, it should be manager only. > >> > >> Are you sure syscheck has performed a scan since the new file was > >> added? I'm not sure, but I don't think the new file alert works with > >> realtime alerts, only with actual scans. > >> > >> > Please advise. > >> > > >> > Thanks, > >> > > >> > Abhi > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
