On Tue, Nov 18, 2014 at 2:18 PM, Jim Nofsinger <[email protected]> wrote: > Yes I did a restart and a stop/start. Using the log file snippet, how does > OSSEC know about a new file creation? What process calls it to an alarm?
I think the agent sends the file and hash to the manager. The manager's ossec-analysisd compares the information to the database. If the file is not in the database it's added and an alert may be sent out. > Baffled on why this isn't working, debugs don't show much either. Guess I > am not missing anything? > No clue, I don't use agentless. > > Thanks > Jim > > > On Tuesday, November 18, 2014 12:54:01 PM UTC-5, Jim Nofsinger wrote: >> >> I have a question about new file creation and agentless. I have followed >> more than a few guides and changed the following setting >> >> added this to the local xml file >> <rule id=”554″ level=”7″ overwrite=”yes”> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <description>File added to the system.</description> >> <group>syscheck,</group> >> </rule> >> >> >> added this to ossec xml file >> <alert_new_files>yes</alert_new_files> >> >> >> I view the queue file and see the file show up, but it does not alert. >> the normal behavior is working though if I make a change. >> >> >> +++0:644:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 >> !1416331050 /bin/jimtest40 >> >> >> so the file is being logged in the system, but never creates an alert... >> is this possible with agentless? If so, what the heck am I missing?? >> >> >> >> Thanks, >> >> Jim > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
