Hi all, My company has been using OSSEC to monitor logs quite happily for some time. I am trying to get FIM up and running using OSSEC. The system is a Redhat linux server running OSSEC as the server, which connects out to quite a number of Agents installed on Windows.
We keep all our production material in a particular folder in a particular drive. Let's call it E:/companyfolder/ I've added the following to the ossec.conf on the agent: <directories check_all="yes" realtime="yes" report_changes="yes">E:\companyfolder/websites/web</directories> And added the following to local_rules.xml on the server: <rule id="554" level="7" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> Having restarted both I then go and add an arbitrary file, like "abcdefg.txt", and check the syslog. Repeating the test many times, occasionally something like this pops up: 2016-06-03 12:06:49 Local0.Warning 192.168.172.6 Jun 3 12:06:47 DB2 ossec: Alert Level: 7; Rule: 554 - File added to the system.; Location: (app5) 192.168.172.105->syscheck; New file 'E:\companyfolder/websites/web/abcdefgh.txt' added to the file system. That would be one time in 20 tests however, and certainly not realtime. What am I doing wrong? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
