Rule 553 (syscheck file deletion) is not triggering

Support/Development for OSSEC
nikashelia
New Forum User
New Forum User
Posts: 1
Joined: Tue Sep 13, 2022 5:48 am

Rule 553 (syscheck file deletion) is not triggering

Unread post by nikashelia »

Hello, I am trying to use OSSEC primarily as a syscheck tool for agentless devices.
All of the rules seemingly work (addition of file, modification, etc) but it seems that file deletion is not detected in alerts.
How do I enable this feature? is it enabled by default on installation similar to how other rules were? (new file, modification).
I do not use realtime as I am trying to create a fully agentless environment.
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 61
Joined: Fri Oct 09, 2020 9:41 am

Re: Rule 553 (syscheck file deletion) is not triggering

Unread post by cponton »

Hello!

Please see this doc for agentless configuration https://docs.atomicorp.com/AEO/agentles ... =agentless
You will probably want to change the conf for <state>periodic</state> to <state>periodic_diff</state>
Post Reply