Hi Hugo, On Mon, Aug 8, 2011 at 11:33 AM, Hugo <[email protected]> wrote: > HI, > I just try the syscheck to detect on a modification upon a directories. But > I could not generate any logs. I install ossec locally (I am not sure > whether I should enable agentless or not). Here is what I am doing:
No, you do not need agentless for this. > In the ossec.conf, I disable the email notification, active response; > including every rules as in the sampel ossec.conf; and then I add the Why disable everything? ossec_rules.xml includes some syscheck rules. You'll want at least that set. > configuration for syscheck as follows > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>8</email_alert_level> > </alerts> > <!-- Hugo Syscheck --> > <syscheck> > <frequency>10</frequency> Unless you're watching a _very_ small directory 10 seconds will not be enough time between syscheck checks. > <directories > check_all="yes">/home/hugo/experiment/ioztemp</directories> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> If you don't have any rules, you probably don't have a rule to take advantage of the alert new files option. > </syscheck> > Then I "ossec-control start" to start syscheck. I keep on watching ossec.log ossec.log won't have alerts in it. > in /logs and also logs in alerts directories. I add new files into my target > directories, modifies the files into that directories, but nothing shows up > there. So I am wondering where I go wrong. You disabled all of the rules, why would an alert be triggered? It seems like you're trying to do something specific, and have configured the system the way you think it needs to be to reach that goal. Without knowing what your end goal is it'll be hard to help you correctly configure your system or even determine whether OSSEC is the right tool for the job.. > Best, > Hugo > > >
