Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying to detect certain file creation or changes in realtime but I do not see it being reflected in the OSSEC web interface. The OSSEC is being deployed in a local environment on Ubuntu 18.4.04 LTS. The rule I have for code creation is: <rule id="554" level="10" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
The rule works as random file creation has been logging but it does not work for the specific directories that I have specified. The code below is the specified directories that I want to monitor. Even when I gave the attribute "realtime" it does not reflect on the logs when i changed it. <!-- Frequency that syscheck is executed - default to every 22 hours --> <auto_ignore>no</auto_ignore> <frequency>180</frequency> <alert_new_files>yes</alert_new_files> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin,/boot</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/home/ubuntu/Downloads</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/home/ubuntu/Desktop,/home/ubuntu</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/home/ubuntu/Downloads/active.txt</directories> Even when i force scan by using the following command: /var/ossec/bin/agent_control -r -u 000 it does not work, for some reason, it keeps on stating that: "INFO: Initializing real-time file monitoring (not started)." I'm lost and I do not know what is wrong, can anybody help me with this issue? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.