Hello all,
I am having a few problems with the behaviour of OSSEC's new file
alerting on Windows agents.
We are wanting to do real-time alerting of files being added to
particular directories. However, I'm getting some slightly unexpected
behaviour. I can get new file alerts on the manager, but in order to
get them, I need to:
- Create the file
- Wait for syscheck to run
- Modify the file.
I then get both a 'file creation' alert and a 'file modified' alert -
the file creation alert is timestamped at the time the syscheck ran,
and the modified alert at the time the file was modified.
Unfortunately the directories we’re trying to monitor for new files
are never changed - only added to - so we are not getting any alerts.
I have enabled new file alerts in ossec.conf on the manager, and
changed rule 554 in ossec_rules.xml to be level 7.
Here is the syscheck section from ossec.conf on the Agent:
<syscheck>
<disabled>no</disabled>
<directories realtime="yes" check_all="yes">C:\MyDirToMonitor</
directories>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<frequency>21600</frequency>
</syscheck>
Is this expected behaviour? Any suggestions on how to make this work?
Many thanks,
Paul.
