SDP recently setup a small ossec install, about 10 linux servers and 2 windows servers all reporting back to 1 linux server. One of the goals of this installation was to provide notification of any new files created on the system, modified fields or deleted files in specific directories. Looking through the options ossec was chosen as it advertises the right feature set and it’s an open source project.

Per the documentation we were able to find, to generate alerts on new files the line below should be added to the ossec.conf on the server.

<alert_new_files>yes</alert_new_files>

After adding this and restarting we were still not receiving any alerts for new file creations. We added the above lines to the ossec.conf on all the agent computers as well. This had no affect on the notifications. So more digging… and we found that in the ossec_rules.xml file the default new file rule has a level of 0, which means it gets surpressed.

<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

So how do you modify ossec such that new file alerts will be raised at a level higher than 0? local_rules.xml thats how. Add the xml snippet below to the local_rules.xml file on the server, restart the ossec agent and alerts for new file creations should start being generated. In this install we have email notification enabled for any events that have a level 7 or higher. Setting the level on the alert below to 7 has the end result of generating an email notification for any new files appearing in our targeted directories.

<rule id="100003" level="7">
<if_sid>554</if_sid>
<description>New file added to the system</description>
</rule>

After a good bit of research we were unable to find a clear example of this. Hopefully you’ll find this helpful in your ossec endeavors.