'[ossec-list] OSSEC File Addition Alerting does not work'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] OSSEC File Addition Alerting does not work
From:       parth12617 () gmail ! com
Date:       2015-06-30 15:02:42
Message-ID: 162c94fd-3bf2-4e5d-a59f-c3f1a5fea2a6 () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hey,

I have set up an OSSEC Server on a Kali linux OS and an OSSEC agent on 
windows 7 OS. My Windows Agent Config regarding Syscheck looks like the 
following:

 <syscheck>
    <frequency>43200</frequency>
    <alert_new_files>yes</alert_new_files>
    <auto_ignore>no</auto_ignore>
    <disabled>no</disabled> 
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet 
Explorer</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
  
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
  
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active 
Setup\Installed Components</windows_registry>
    
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group 
Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet \
 Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 
Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
 <registry_ignore type="sregex">\Enum$</registry_ignore>
<directories realtime="yes" check_all="yes">C:\.</directories>
<directories realtime="yes" check_all="yes">D:\.</directories>
<ignore type="sregex">.log$|.htm$|.png$|.chm$|.pnf$|.evtx$</ignore>
  </syscheck>    

My OSSEC Server Syscheck config on the Kali linux is as follows:

<syscheck>

    <disabled>no</disabled>
    <frequency>43200</frequency>
    <alert_new_files>yes</alert_new_files>
    <auto_ignore>no</auto_ignore>
<directories realtime="yes" 
check_all="yes">/root/Desktop,/etc,/usr/bin,/usr/sbin,/bin,/sbin,/var,/opt,/sys,/run,/proc,/lib,/dev,/lib64</directories>


</syscheck>

Under my local rules file i have the following rules for the File alert 

 <rule id="554" level="6" overwrite="yes">
       <category>ossec</category>
       <decoded_as>syscheck_new_entry</decoded_as>
       <description>File added to the system.</description>
       <group>syscheck,</group> 
  </rule>

However, whenever I add a New file on my OSSEC server device or my windows 
device, it does not give any alert on the web UI of any file addition 
message. If I check the syscheck database on the server, I see checksum for 
all the new files on both the systems, also those file entries start with 
"+++", meaning that a new file has been detected. However, I do not receive 
any alerts on my web UI. 

I add a new file to the very first directory on both windows and Kali linux 
and then restart both the server and the agent and check for the alerts but 
I do not receive any alert.
Please Help me out.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_default" style="font-family: arial, helvetica, \
sans-serif; font-size: small; color: rgb(0, 0, 0);">Hey,</div><div \
class="gmail_default" style="font-family: arial, helvetica, sans-serif; font-size: \
small; color: rgb(0, 0, 0);"><br></div><div class="gmail_default" style="font-family: \
arial, helvetica, sans-serif; font-size: small; color: rgb(0, 0, 0);">I have set up \
an OSSEC Server on a Kali linux OS and an OSSEC agent on windows 7 OS. My Windows \
Agent Config regarding Syscheck looks like the following:</div><div \
class="gmail_default" style="font-family: arial, helvetica, sans-serif; font-size: \
small; color: rgb(0, 0, 0);"><br></div><div class="gmail_default" style="font-family: \
arial, sans-serif; font-size: 12.8000001907349px;"><span style="color: rgb(0, 0, 0); \
font-family: arial, helvetica, sans-serif; font-size: small;">&nbsp;</span><font \
face="arial, helvetica, sans-serif" color="#000000">&lt;syscheck&gt;</font></div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;"><font face="arial, helvetica, sans-serif" color="#000000">&nbsp; \
&nbsp; &lt;frequency&gt;43200&lt;/frequency&gt;</font></div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;"><font face="arial, helvetica, sans-serif" color="#000000">&nbsp; \
&nbsp; &lt;alert_new_files&gt;yes&lt;/alert_<wbr>new_files&gt;</font></div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;"><font face="arial, helvetica, sans-serif" color="#000000">&nbsp; \
&nbsp; &lt;auto_ignore&gt;no&lt;/auto_ignore&gt;</font></div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;"><font face="arial, helvetica, sans-serif" color="#000000">&nbsp; \
&nbsp; &lt;disabled&gt;no&lt;/disabled&gt;&nbsp;</font></div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;"><font face="arial, helvetica, sans-serif" color="#000000">&nbsp; \
&nbsp;</font>&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes&lt;/<wbr>windows_registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Policies&lt;/<wbr>windows_registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Security&lt;/windows_<wbr>registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Internet \
Explorer&lt;/windows_registry&gt;</div><div class="gmail_default" style="font-family: \
arial, sans-serif; font-size: 12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Services&lt;/<wbr>windows_registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control&lt;/<wbr>windows_registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows\CurrentVersion&lt;/<wbr>windows_registry&gt;</div><div \
class="gmail_default" style="font-family: arial, sans-serif; font-size: \
12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows \
NT\CurrentVersion&lt;/windows_<wbr>registry&gt;</div><div class="gmail_default" \
style="font-family: arial, sans-serif; font-size: 12.8000001907349px;">&nbsp; &nbsp; \
&lt;windows_registry&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Active \
Setup\Installed Components&lt;/windows_registry&gt;</div><div class="gmail_default" \
style="font-family: arial, sans-serif; font-size: 12.8000001907349px;"><span \
style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: \
small;">&nbsp; &nbsp;&nbsp;</span><font face="arial, helvetica, sans-serif" \
color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr \
>Windows\CurrentVersion\<wbr>Installer\UserData&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows\CurrentVersion\Group \
> Policy\State&lt;/registry_ignore&gt;</font></div><div class="gmail_default" \
> style="font-family: arial, sans-serif; font-size: 12.8000001907349px;"><font \
> face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<w \
> br>Windows\CurrentVersion\<wbr>WindowsUpdate&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows\CurrentVersion\<wbr>Internet \
> Settings\Cache&lt;/registry_<wbr>ignore&gt;</font></div><div class="gmail_default" \
> style="font-family: arial, sans-serif; font-size: 12.8000001907349px;"><font \
> face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows \
> NT\CurrentVersion\ProfileList&lt;<wbr>/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Microsoft\<wbr>Windows \
> NT\CurrentVersion\Prefetcher&lt;/<wbr>registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes\<wbr>Interface&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes\<wbr>TypeLib&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes\MIME&lt;<wbr>/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes\<wbr>Software&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Software\Classes\<wbr>CLSID&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Security\Policy\<wbr>Secrets&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\Security\SAM\Domains\<wbr>Account\Users&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentCo \
> ntrolSet\Control\<wbr>DeviceClasses&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control\<wbr>Watchdog&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentCo \
> ntrolSet\Control\<wbr>MediaCategories&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control\<wbr>Windows&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control\<wbr>hivelist&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentCo \
> ntrolSet\Control\<wbr>ServiceCurrent&lt;/registry_<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control\<wbr>Print&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Control\<wbr>Session \
> Manager&lt;/registry_ignore&gt;</font></div><div class="gmail_default" \
> style="font-family: arial, sans-serif; font-size: 12.8000001907349px;"><font \
> face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentControlSet\Services\<wbr>Eventlog&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentCo \
> ntrolSet\Services\<wbr>RemoteAccess\Performance&lt;/<wbr>registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore&gt;HKEY_LOCAL_<wbr>MACHINE\System\<wbr>CurrentCo \
> ntrolSet\Services\<wbr>W32Time\TimeProviders\<wbr>NtpClient&lt;/registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;registry_ignore \
> type="sregex"&gt;\Enum$&lt;/<wbr>registry_ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;directories realtime="yes" \
> check_all="yes"&gt;C:\.&lt;/<wbr>directories&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;directories realtime="yes" \
> check_all="yes"&gt;D:\.&lt;/<wbr>directories&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&lt;ignore \
> type="sregex"&gt;.log$|.htm$|.<wbr>png$|.chm$|.pnf$|.evtx$&lt;/<wbr>ignore&gt;</font></div><div \
> class="gmail_default" style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><font face="arial, helvetica, sans-serif" \
> color="#000000">&nbsp; &lt;/syscheck&gt; &nbsp; &nbsp;</font></div><div \
> style="font-family: arial, sans-serif; font-size: \
> 12.8000001907349px;"><br></div><div class="gmail_default" style="font-family: \
> arial, helvetica, sans-serif; font-size: small; color: rgb(0, 0, 0);">My OSSEC \
> Server Syscheck config on the Kali linux is as \
> follows:<br><br>&lt;syscheck&gt;<br><br>&nbsp;&nbsp;&nbsp; \
> &lt;disabled&gt;no&lt;/disabled&gt;<br>&nbsp;&nbsp;&nbsp; \
> &lt;frequency&gt;43200&lt;/frequency&gt;<br>&nbsp;&nbsp;&nbsp; \
> &lt;alert_new_files&gt;yes&lt;/alert_<wbr>new_files&gt;<br>&nbsp;&nbsp;&nbsp; \
> &lt;auto_ignore&gt;no&lt;/auto_ignore&gt;<br>&lt;directories realtime="yes" \
> check_all="yes"&gt;/root/Desktop,<wbr>/etc,/usr/bin,/usr/sbin,/bin,/<wbr>sbin,/var,/ \
> opt,/sys,/run,/<wbr>proc,/lib,/dev,/lib64&lt;/<wbr>directories&gt;<br><br>&lt;/syscheck&gt;<br></div><div \
> class="gmail_default" style="font-family: arial, helvetica, sans-serif; font-size: \
> small; color: rgb(0, 0, 0);"><br></div><div class="gmail_default" \
> style="font-family: arial, helvetica, sans-serif; font-size: small; color: rgb(0, \
> 0, 0);">Under my local rules file i have the following rules for the File \
> alert&nbsp;</div><div class="gmail_default" style="font-family: arial, helvetica, \
> sans-serif; font-size: small; color: rgb(0, 0, 0);"><br>&nbsp;&lt;rule id="554" \
> level="6" overwrite="yes"&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
> &lt;category&gt;ossec&lt;/category&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
> &lt;decoded_as&gt;syscheck_new_<wbr>entry&lt;/decoded_as&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
> &lt;description&gt;File added to the \
> system.&lt;/description&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
> &lt;group&gt;syscheck,&lt;/group&gt;&nbsp;<br>&nbsp; \
> &lt;/rule&gt;<br><br></div><div class="gmail_default" style="font-family: arial, \
> helvetica, sans-serif; font-size: small; color: rgb(0, 0, 0);">However, whenever I \
> add a New file on my OSSEC server device or my windows device, it does not give any \
> alert on the web UI of any file addition message. If I check the syscheck database \
> on the server, I see checksum for all the new files on both the systems, also those \
> file entries start with "+++", meaning that a new file has been detected. However, \
> I do not receive any alerts on my web UI.&nbsp;<br><br></div><div \
> class="gmail_default" style="font-family: arial, helvetica, sans-serif; font-size: \
> small; color: rgb(0, 0, 0);">I add a new file to the very first directory on both \
> windows and Kali linux and then restart both the server and the agent and check for \
> the alerts but I do not receive any alert.<br></div><div class="gmail_default" \
> style="font-family: arial, helvetica, sans-serif; font-size: small; color: rgb(0, \
> 0, 0);">Please Help me out.</div></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>

------=_Part_408_567679787.1435676562230--



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic