On Wed, Dec 17, 2014 at 3:23 PM, Abhi <[email protected]> wrote: > Thanks Dan. > > That worked perfectly. > > Now, when we are making manual changed to these TRG files, i.e editing in > notepad, OSSEC detects integrity change. But when DB is trying to edit these > triggers ( Drop and re-create with same name.. different content), no > integrity change is reported by OSSEC. realtime option set on this > directory.. > > <directories check_all="yes" restrict=".trg" > realtime="yes">C:\Path</directories> >
I don't think file deleted alerts work right now, and file created alerts are turned off by default. > > Thanks, > > ~Abhi > > On Wednesday, December 17, 2014 10:58:59 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Dec 17, 2014 at 10:50 AM, Abhi <[email protected]> wrote: >> > Hi, >> > >> > I wanted to monitor all files of type *.trg to make sure we get alert >> > each >> > time integrity of any such file change within a particular directory. >> > For using a wild card like *.trg, should I be using a <localfile> tag, >> > or a >> > <directory>? >> > >> > When I am using a localfile tag, OSSEC prints following two messages: >> > >> > ERROR "unable to open file C:\ Path\*.trg >> > INFO: File not available, ignoring it: C:\ Path \*.trg" >> > >> >> localfiles is for log files to be monitored. >> >> > and when used with the directory tag, it says "WARN: Error opening >> > directory: 'C:\Path\*.trg" >> > >> > We only want to monitor files of type "trg". Other files in that >> > directory >> > don't need integrity monitoring. >> > >> >> I can't remember if globbing works on Windows or not (I might be >> thinking of localfiles), but restrict should work. >> Try something like: >> <directories check_all="yes" restrict=".trg">C:/path</directories> >> >> > Please advise. >> > >> > Thanks >> > >> > ~Abhi >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
