I followed the instruction as Add the following to local_rules.xml:
<rule id="554" level="10" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group></rule> The <alert_new_files> entry should look something like this: <syscheck> <frequency>7200</frequency> <alert_new_files>yes</alert_new_files> <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> And then restart the agent and server, but I did not get alerts forever. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.