Page 1 of 1
Posted: Thu Jun 10, 2021 3:49 am
Could we add new files to monitor(FIM) in ossec 3.6 open sourse???
Posted: Thu Jun 10, 2021 9:11 am
Yes! You will need to vim into /var/ossec/etc/ossec.conf and modify the file to include what directories you would like to watch:
<!-- Directories to check (perform all possible verifications) -->
Posted: Mon Jun 14, 2021 2:49 am
This is default directories(C directory in windows ), but I want to add new directories or folders (D)
<directories report_changes="yes" realtime="yes" check_all="yes">D:/logo</directories>
Is this possible??
Posted: Mon Jun 14, 2021 8:16 am
OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.
Configuring syscheck to show diffs is simple, add report_changes="yes" to the <directories option. For example:
<directories report_changes="yes" check_all="yes">/etc</directories>
Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file.
If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very careful on which directory you enable report_changes.