Billford, Non-authoritive reply based on my memory from 1 1/2 months ago ...
I struggled with this also for several days, and found that clearing the syscheck database then running a fresh syscheck was the only thing that picked up the new file. Obviously, this was not a good solution, but had to move on. Also, I was not able to get syscheck debug mode to kick in. Some ideas for you ... 1. Manually kick off a syscheck, then truss/strace the ossec-syscheckd process, to see if the new file is opened. 2. While syschecking, truss/strace ossec-analysisd process on the server to see if the new file gets analyzed. 3. See if the new file gets entered into the syscheck database (text file) on the server. Ken Wachtler Midwave Corporation 612 701-0924 (c) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bilford Sent: Saturday, August 29, 2009 12:24 PM To: ossec-list Subject: [ossec-list] alert_new_files I know I'm just doing something wrong but I can't seem to find out what it is. I need to alert on new files and it's simply not working (and yes, I know I have to wait for syscheck to run, I lowered the frequency). I am using the latest 2.1 (just downloaded yesterday). Any help would be most appreciated. The relevant config is as follows: ossec.conf: <frequency>1200</frequency> <!-- Directories to check (perform all possible verifications) -- > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <alert_new_files>yes</alert_new_files> <auto_ignore>no</auto_ignore> local_rules.xml <rule id="100003" level="7"> <if_sid>554</if_sid> <description>NEW FILE!!!</description> </rule> I added new files to an ubuntu system and an opensolaris system, no alerts, no messages in the log about an alert. Thanks in advance Billford
