On Fri, Jun 3, 2016 at 7:45 AM, Ferdia O'Brien <[email protected]> wrote: > Hi all, > > My company has been using OSSEC to monitor logs quite happily for some time. > I am trying to get FIM up and running using OSSEC. The system is a Redhat > linux server running OSSEC as the server, which connects out to quite a > number of Agents installed on Windows. > > We keep all our production material in a particular folder in a particular > drive. Let's call it E:/companyfolder/ > > I've added the following to the ossec.conf on the agent: > > <directories check_all="yes" realtime="yes" > report_changes="yes">E:\companyfolder/websites/web</directories> > > And added the following to local_rules.xml on the server: > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > Having restarted both I then go and add an arbitrary file, like > "abcdefg.txt", and check the syslog. Repeating the test many times, > occasionally something like this pops up: > > 2016-06-03 12:06:49 Local0.Warning 192.168.172.6 Jun 3 12:06:47 DB2 > ossec: Alert Level: 7; Rule: 554 - File added to the system.; Location: > (app5) 192.168.172.105->syscheck; New file > 'E:\companyfolder/websites/web/abcdefgh.txt' added to the file system. > > That would be one time in 20 tests however, and certainly not realtime. > > What am I doing wrong? >
I don't think realtime supports alerting on new files being created. A full syscheck scan is required for that. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
