I've gotten copied on this mail 10 times already. But not a response. >>> <[email protected]> 5/18/2010 8:38 AM >>> I have that also Here is the setting maybe I'm missing something else, I changed the frequency <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>792</frequency> <alert_new_files>yes</alert_new_files> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> Christian L. Kovac Sr Network Support Analyst Information Technology & Project Management Metro-North Railroad [email protected] 212-499-4642 THINK GREEN q Do you really need to print this e-mail?
>>> Daniel Cid <[email protected]> 5/18/2010 8:00 AM >>> Hi Christian, You also need to set "alert_new_files" to "yes" inside the syscheck config: http://www.ossec.net/wiki/Know_How:Syscheck Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, May 17, 2010 at 2:29 PM, <[email protected]> wrote: > Ive changed the rules required 554 to level 7 and the rule is as follows. Is > this correct for alerting on new files as documented. Thank You Christian... > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <match>\system32\</match> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > Christian L. Kovac > Sr Network Support Analyst > Information Technology & Project Management > Metro-North Railroad > [email protected] > 212-499-4642 > > THINK GREEN q Do you really need to print this e-mail? >
