Yes, I noticed the difference, add new file entry will not be real-time. But what if I restart the agent and manager, will it rescan and then generate that event right after I restart everything.
And also, my issue is I waited for the interval, however, I still would not be able to get a log event even I create some new files and directories. My last question is within that rule, the decoder name is syscheck_new_entry, where the decoder file is, I can not find this decoder in the decoders folder. Thank you. On Friday, April 1, 2016 at 6:49:42 AM UTC-4, Jesus Linares wrote: > > Check out this blog: > http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/ > > Pay attention to the part: "REAL TIME VS ALERT ON NEW". > > Regards, > Jesus Linares. > > On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, [email protected] > wrote: >> >> I followed the instructions to how to set up alert for add new file as >> follows: >> >> <rule id="554" level="10" overwrite="yes"> >> <category>ossec</category> >> <decoded_as>syscheck_new_entry</decoded_as> >> <description>File added to the system.</description> >> <group>syscheck,</group></rule> >> >> >> and >> >> <syscheck> >> <frequency>7200</frequency> >> <alert_new_files>yes</alert_new_files> >> <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> >> >> >> But it never works. I can not get alerts even I restart the agent and >> manager. Could any one help me with this, thanks >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
