Hi, That decoder is hardcoded <https://github.com/wazuh/ossec-wazuh/blob/5441889d963ce6d8ee3fae0e9f273e701b6c89eb/src/analysisd/rules.h#L231>into OSSEC code, so you won't find any decoder called like that.
Best regards, Pedro S. On Monday, April 4, 2016 at 8:06:58 PM UTC+2, [email protected] wrote: > > Yes, I noticed the difference, add new file entry will not be real-time. > But what if I restart the agent and manager, will it rescan and then > generate that event right after I restart everything. > > And also, my issue is I waited for the interval, however, I still would > not be able to get a log event even I create some new files and > directories. > > My last question is within that rule, the decoder name is > syscheck_new_entry, where the decoder file is, I can not find this decoder > in the decoders folder. > Thank you. > > On Friday, April 1, 2016 at 6:49:42 AM UTC-4, Jesus Linares wrote: >> >> Check out this blog: >> http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/ >> >> Pay attention to the part: "REAL TIME VS ALERT ON NEW". >> >> Regards, >> Jesus Linares. >> >> On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, >> [email protected] wrote: >>> >>> I followed the instructions to how to set up alert for add new file as >>> follows: >>> >>> <rule id="554" level="10" overwrite="yes"> >>> <category>ossec</category> >>> <decoded_as>syscheck_new_entry</decoded_as> >>> <description>File added to the system.</description> >>> <group>syscheck,</group></rule> >>> >>> >>> and >>> >>> <syscheck> >>> <frequency>7200</frequency> >>> <alert_new_files>yes</alert_new_files> >>> <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> >>> >>> >>> But it never works. I can not get alerts even I restart the agent and >>> manager. Could any one help me with this, thanks >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
