You will not get alerts for new files by default. You would have to edit or overwrite rule id 554 to get alerts for that (the default is level 0 for that rule, it would have to be raised). The following link also mentioned a configuration option that would need to be changed to make this possible: http://www.ossec.net/main/manual/manual-syscheck/ Here's more info on making ossec alert on new files: http://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/
You can also do some centralized configuration through the agent.conf on the OSSEC server system. More details: http://www.ossec.net/main/manual/centralized-config/ Also, Windows and newer linuxes support a realtime option in syscheck to notify you immediately when files are changed. More details: http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/ On Wed, Sep 15, 2010 at 6:08 PM, Aamir Niazi <[email protected]> wrote: > Actually never mind I lied... I guess i just had to wait long enough > for syscheck database to initiate fully. I def got an email alert as > soon as I deleted a file. So that helps alot :) very grateful for your > assistance. > > I am sure I will have alot more questions. > > Thanks once again Jeremy. > > > On Wed, Sep 15, 2010 at 5:58 PM, Jeremy Lee <[email protected]> wrote: >> Are you watching the /var/ossec/logs/ossec.log file to see if the >> syscheck/rootcheck processes are kicking off? >> >> It would be good if you could copy and paste the output from your ossec.conf >> files (both on the agent and server) as well as snippets from the ossec.log >> >> >> Thanks, >> Jeremy >> >> On Wed, Sep 15, 2010 at 2:53 PM, Aamir Niazi <[email protected]> wrote: >>> >>> OK so I went ahead and added the directory on the agent. Stopped and >>> restarted the agent. Changed the time on ossec.conf on the server to >>> 60 seconds just to test quickly. stopped and restarted the server with >>> no luck. I edited the files and added a new file in that directory but >>> did not get any alerts in the email. Email settings are configured >>> properly since I have been getting ossec stop restart emails whenever >>> I reset the server. what am I doing wrong. >>> >>> As far as the users go I meant if local users are added or deleted on >>> the agents. >>> >>> >>> >>> On Wed, Sep 15, 2010 at 5:36 PM, Jeremy Lee <[email protected]> wrote: >>> > Sorry, my initial comment was incorrect. You should specify, as you >>> > already >>> > did I believe, the C:\Test_TPS path in the ossec.conf that's on your >>> > Windows >>> > machine. Syscheck generally runs locally to each box so putting that on >>> > the >>> > Ossec Server (Ubuntu) wouldn't do much. If you want to change the >>> > frequency, >>> > however, you need to do that on the OSSEC server I believe. >>> > >>> > On Wed, Sep 15, 2010 at 2:27 PM, Aamir Niazi <[email protected]> >>> > wrote: >>> >> >>> >> Also when I add that particular directory under syscheck in ossec.conf >>> >> on the server, how does the server automatically know to check for >>> >> that directory on the agent? and what If I had to check one directory >>> >> on one agent and another on another agent how do I specify which agent >>> >> it should check the directory on? >>> >> >>> >> Much appreciate your input. >>> >> >>> >> Thanks >>> >> >>> >> On Wed, Sep 15, 2010 at 4:33 PM, Jeremy Lee <[email protected]> wrote: >>> >> > Hi there, >>> >> > >>> >> > Welcome! >>> >> > >>> >> > It sounds like you want to do some integrity checking to notify you >>> >> > of >>> >> > any >>> >> > changes to files in the C:\Test_TPS directory, correct? If so, it >>> >> > should >>> >> > be >>> >> > pretty straightforward. You just need to edit the ossec.conf >>> >> > (/var/ossec/etc/ossec.conf is the default path on your OSSEC server) >>> >> > and >>> >> > add >>> >> > the following under the <syscheck> section: >>> >> > >>> >> > <directories check_all="yes">C:\Test_TPS</directories> >>> >> > >>> >> > >>> >> > >>> >> > Hope that helps! >>> >> > >>> >> > --Jeremy >>> >> > >>> >> > On Wed, Sep 15, 2010 at 1:22 PM, Aamir Niazi <[email protected]> >>> >> > wrote: >>> >> >> >>> >> >> Hello List, My first time writing to this list. >>> >> >> >>> >> >> I have OSSEC running on Ubuntu 10.4 and have windows client >>> >> >> machines. >>> >> >> There is not much on the website regarding rules so I purchased the >>> >> >> OSSEC book. But I am still confused about how to you custom write >>> >> >> rules to monitor specific directories. Lets say if I wanted to >>> >> >> monitor >>> >> >> C:\Test_TPS folder and files within this directory on the windows >>> >> >> machine, what would I have to do in order to make sure that client >>> >> >> is >>> >> >> configured for this and server is also monitoring this directory for >>> >> >> any changes and integrity? If anyone can elaborate a little bit on >>> >> >> this I would highly appreciate it. FYI i am a *nix newbie. >>> >> >> >>> >> >> Thanks a lot in advance. >>> >> >> >>> >> >> -- >>> >> >> Best Regards, >>> >> >> >>> >> >> Aamir Niazi >>> >> > >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> Best Regards, >>> >> >>> >> Aamir Niazi >>> >> Senior Security Analyst >>> > >>> > >>> >>> >>> >>> -- >>> Best Regards, >>> >>> Aamir Niazi >>> Senior Security Analyst >> >> > > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
