Evereyone

[Adebabay]

Could we add new files to monitor(FIM) in ossec 3.6 open sourse???

[cponton]

Yes! You will need to vim into /var/ossec/etc/ossec.conf and modify the file to include what directories you would like to watch:

<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>

[Adebabay]

This is default directories(C directory in windows ), but I want to add new directories or folders (D)

<directories report_changes="yes" realtime="yes" check_all="yes">D:/logo</directories>

Is this possible??

[cponton]

OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.

Configuring syscheck to show diffs is simple, add report_changes="yes" to the <directories option. For example:

<syscheck>
<directories report_changes="yes" check_all="yes">/etc</directories>
<directories check_all="yes">/bin,/sbin</directories>
</syscheck>

Note
Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file.

If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very careful on which directory you enable report_changes.