Hi Keith, unfortunately, unlike the Linux version, OSSEC for Windows doesn't support new file monitoring in real-time. But you'll get alerted about modified and removed files.
When a complete Syscheck is performed, it will notify the new files to the manager and from that moment on the agent will follow those files in real-time. You may test it using this experimental configuration in your agent (and then restarting it): <syscheck> *<frequency>300</frequency>* ... <directories> ... </directories> </syscheck> 300 seconds (5 minutes) is the minimum reasonable frequency since real-time monitoring stages are of 300 seconds in Windows. After that, OSSEC will perform a 20 seconds sleeping and re-run the Syscheck scan. At that moment the manager will receive the new files in the monitored folders. Hope it helps. Best regards, Victor. On Fri, Nov 11, 2016 at 4:49 PM, dan (ddp) <[email protected]> wrote: > On Fri, Nov 11, 2016 at 10:41 AM, Keith <[email protected]> wrote: > > I have a new OSSEC install on a 2012r2 box and have set up on directory I > > need to monitor in realtime for any changes or modifications to this one > > specific folder. It does not appear to be working so any suggestions on > > this would be appreciated. Here is the config from the client side 2012r2 > > server: > > > > <directories check_all="yes" realtime="yes" > > report_changes="yes">C:\LIS_Global_Import</directories> > > > > Once I added this, I restarted the agent then forced the updated on the > > server side: > > > > # ./agent_control -r -u 019 > > > > I added to files into the directory being monitored and nothing, no > alert, > > no email, nada.. > > > > # ./syscheck_control -i 019 > > > > Integrity changes for agent 'xxxxxx (019) - x.x.x.x': > > > > Changes for 2016 Nov 11: > > 2016 Nov 11 09:55:39,0 - ossec.conf > > 2016 Nov 11 10:08:58,0 - ossec.conf > > 2016 Nov 11 10:15:46,2 - ossec.conf > > > > Are the files in question in the syscheck db > (/var/ossec/queue/syscheck/something identifying the agent) on the > OSSEC server? > Were there baseline hashes in the database for those files before you > modified them? > Had realtime initialized before you made the changes? Look in > ossec.log on the agent > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
