Showing posts from March, 2017

Experience in folder monitoring with OSSEC

Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it. You can use syscheck to folder monitoring. Reference in:  and To monitor file edit, delete you can use syscheck with realtime monitor. But to monitor  file added, you need: Add to local_rule.xml Edit ossec.conf: Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client.  Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server). This is my result: ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window an