If you have any questions about this, join our community. i.e., Keeps watch on a directory and print it when a new file becomes available.
The last part involves adding rules for the EventID to our CriticalFolders and alerting us whenever a user accesses them out of office hours.Įdit /var/ossec/etc/rules/local_rules.xml and add this: C:\\\\Critical_Folder|C:\\\\Critical_Folder2 Note: You can also use centralized configuration to apply this change to a group of agents. You need to edit the Security eventchannel localfile in your C:\Program Files (x86)\ossec-agent\nf file.Īfter removing the negation of this EventID value, your localfile should look like the following: Įvent/System[EventID != 5145 and EventID != 5156 and EventID != 5447 andĮventID != 4656 and EventID != 4658 and EventID != 4660 andĮventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
#MONITOR FOLDER FOR NEW FILES WINDOWS WINDOWS#
To do so, open the folder properties and go to Security > Advanced:Ĭlick on the Auditing tab and add the rule to monitor user actions:Īt this point, whenever a user accesses the folder, Windows will log it under the event ID 4663 : Wazuh Configuration Wazuh Agentīy default, the event ID 4663 is configured not to be collected. Now you need to add it to each folder for which you want to be notified. There are different audit policies for you to enable the one you are looking for is Audit object access: Open your Windows Local group policy editor and navigate to Audit policy. Monitor folder access: Windows configuration But this can be solved with the parameter "empty-state".Wazuh can help you monitor folder access in Windows systems by collecting logs from the Audit object access group policy. This means, that in Icinga this would be shown as an UNKNOWN alert, which should not be the case. $ /usr/lib/nagios/plugins/check_nrpe -H windowsserver -c check_files -a "file=C:\Program Files\Application\tmp\claudiooo*" "filter=age>900" "warn=count>0" echo $?
#MONITOR FOLDER FOR NEW FILES WINDOWS CODE#
When no such directories exist (which can happen), I got an UNKNOWN return code (3): What if file or directory does not exist?īut I faced one more issue. This means: As soon as the check found at least one file matching the filename and the age is older than 15min, it will return a warning. WARNING: 1/1 files (claudiotest)|'count'=1 0 0
$ /usr/lib/nagios/plugins/check_nrpe -H windowsserver -c check_files -a "file=C:\Program Files\Application\tmp\claudio*" "filter=age>900" "warn=count>0" For this the "warn" argument must be used: So far so good, but it should not be OK, it should WARN that the application is probably hanging. $ /usr/lib/nagios/plugins/check_nrpe -H windowsserver -c check_files -a "file=C:\Program Files\Application\tmp\claudio*" "filter=age>900"
I only wanted to have results matching the filename (C:\Program Files\Application\tmp\claudio*) and an age older than 15 minutes: So here I had to add filters to limit my search result. Right-click the file or folder, and then select Properties. No surprise, nothing was found with that name.Īdvanced check: Check if file age is older than 15min (=900s). In Windows Explorer, locate the file or folder you want to audit. $ /usr/lib/nagios/plugins/check_nrpe -H windowsserver -c check_files -a "file=C:\Program Files\Application\tmp\claudiooo*" Indeed, there was one file found (my folder "claudiotest"). $ /usr/lib/nagios/plugins/check_nrpe -H windowsserver -c check_files -a "file=C:\Program Files\Application\tmp\claudio*" Note that I used an asterisk wildcard in the path in order to simulate the temporary folders of the application, they all start with the same name but have a different ending.
0 kommentar(er)
