Here is the output of the analysid on the manager (running in debug) 2014/11/18 15:12:59 1 : rule:554, level 7, timeout: 0 at least the analysid process is picking up the new rule value change. I will continue to debug some of the other processes to see if I can find the reason this is never fired. IF the event is communicated to the analyzer it should get fired. Back to the drawing board.
On Tuesday, November 18, 2014 12:54:01 PM UTC-5, Jim Nofsinger wrote: > > I have a question about new file creation and agentless. I have followed > more than a few guides and changed the following setting > > *added this to the local xml file* > <rule id=”554″ level=”7″ overwrite=”yes”> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > *added this to ossec xml file* > <alert_new_files>yes</alert_new_files> > > > *I view the queue file and see the file show up, but it does not alert. > the normal behavior is working though if I make a change*. > > +++0:644:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 > > !1416331050 /bin/jimtest40 > > > so the file is being logged in the system, but never creates an alert... > is this possible with agentless? If so, what the heck am I missing?? > > > > Thanks, > > Jim > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
