search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.33k stars 1.02k forks source link

3.7 don;t have new files alerts #2117

Open xmysdsb opened 3 months ago

xmysdsb commented 3 months ago

I used ossec_server_3.7 and ossec_agent_windows_3.7. agent computer:windows 11. i the question I meet: It can't create new file alert. What I have learned is that use alert_new_files and overwrite the rule 554. I didi so. But nothing happend as followed is my configuration:

300 no yes D:\downloads

2:

ossec syscheck_new_entry File added to the system. syscheck,

how to solve it. ask for help!

atomicturtle commented 3 months ago

That frequency might be too low, Im assuming thats what your 300 is? That might not be finishing a scan before its stopped and restarted. Also you might want to check out the realtime option. Last tip, use / instead of \ since if you end a path with \ it will break the XML

xmysdsb commented 3 months ago

hello. I have already tried it and waited for some time. As far as I can see, it still It's still not generating new file alerts. I download new files in D:\downloads and observe the ossec.log. I saw ""WARN: Error opening directory: 'D:/downloads/statistical-review-of-world-energy-2023.pdf.crdownload': No such file or directory"" (this is my new file )

in another aspect, use " cat ./......../alerts.log | grep "downloads" or 554 in the server. just the news about "file was deleted"