Hi. I did the same as you: changed the rule's level from 0 to 10 and added
<alert_new_files>yes</alert_new_files> on "ossec.conf", both at server, and I had no error. You should check the Syscheck database (tail of file at /var/ossec/queue/syscheck) and verify that new files are on it. Depending on whether the file appears in the database or not, the problem may be with the agent or the manager. Best regards. On Thursday, March 31, 2016 at 9:08:36 PM UTC+2, jingxu...@bettercloud.com wrote: > > I followed the instruction as > > Add the following to local_rules.xml: > > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group></rule> > > The <alert_new_files> entry should look something like this: > > <syscheck> > <frequency>7200</frequency> > <alert_new_files>yes</alert_new_files> > <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> > > And then restart the agent and server, but I did not get alerts forever. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
