Yes I did a restart and a stop/start. Using the log file snippet, how does OSSEC know about a new file creation? What process calls it to an alarm? Baffled on why this isn't working, debugs don't show much either. Guess I am not missing anything?
Thanks Jim On Tuesday, November 18, 2014 12:54:01 PM UTC-5, Jim Nofsinger wrote: > > I have a question about new file creation and agentless. I have followed > more than a few guides and changed the following setting > > *added this to the local xml file* > <rule id=”554″ level=”7″ overwrite=”yes”> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > *added this to ossec xml file* > <alert_new_files>yes</alert_new_files> > > > *I view the queue file and see the file show up, but it does not alert. > the normal behavior is working though if I make a change*. > > +++0:644:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 > > !1416331050 /bin/jimtest40 > > > so the file is being logged in the system, but never creates an alert... > is this possible with agentless? If so, what the heck am I missing?? > > > > Thanks, > > Jim > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
