Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it. You can use syscheck to folder monitoring. Reference in: <a target="_blank" href="http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html">http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html</a> and <a target="_blank" href="http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/">http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/</a> To monitor file edit, delete you can use syscheck with realtime monitor. But to monitor file added, you need: Add to local_rule.xml 
<a target="_blank" href="https://3.bp.blogspot.com/-cV4qZt5q9XQ/WLmi-Doj-QI/AAAAAAAAB6o/O1yaCghlNYcDdvmgvwq8rD3zaaVvWHZzwCLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-07-52.png"><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1676119496785/0c0a3ab3-c531-4155-8324-0d1752bf55aa.png" alt /></a>
Edit ossec.conf: 
<a target="_blank" href="https://3.bp.blogspot.com/-RYIR4fVcWUo/WLmjMuYFDJI/AAAAAAAAB6s/qR51Md-glXwOgF7YO1xkn-tlJhl6DDcRACLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-08-46.png"><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1676119498272/d38c23fa-dfe5-407c-89d9-3dc3e847129d.png" alt /></a>
Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client. 
Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto_ignore is no in syscheck (on server).
This is my result:
<a target="_blank" href="https://1.bp.blogspot.com/-txq7gf83B1w/WLmht32I-UI/AAAAAAAAB6g/nAhUfeDntIcj-7HsQ6uNH1atGugrr7NugCLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-02-28.png"><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1676119500336/2d89472c-934d-4400-b265-4e4736703a2f.png" alt /></a>
---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.
Nam Habach


Today i had some job relate to folder monitoring. In my solution, i have selected OSSEC with ELK. I have spent 5 hour to troubleshooting OSSEC. :)). This it first time i config it.  
You can use syscheck to folder monitoring. Reference in: [http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html](http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html) and [http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/](http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/)  
To monitor file edit, delete you can use syscheck with realtime monitor.  
But to monitor  file added, you need:  
Add to local\_rule.xml  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1676119496785/0c0a3ab3-c531-4155-8324-0d1752bf55aa.png)](https://3.bp.blogspot.com/-cV4qZt5q9XQ/WLmi-Doj-QI/AAAAAAAAB6o/O1yaCghlNYcDdvmgvwq8rD3zaaVvWHZzwCLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-07-52.png)

Edit ossec.conf:  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1676119498272/d38c23fa-dfe5-407c-89d9-3dc3e847129d.png)](https://3.bp.blogspot.com/-RYIR4fVcWUo/WLmjMuYFDJI/AAAAAAAAB6s/qR51Md-glXwOgF7YO1xkn-tlJhl6DDcRACLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-08-46.png)

  

Main problem is: you must edit ossec.conf in server (in my case is wazuh), not windows client. 

Second problem, after integrity change more than 3 times, ossec disable alert. You must add auto\_ignore is no in syscheck (on server).

This is my result:

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1676119500336/2d89472c-934d-4400-b265-4e4736703a2f.png)](https://1.bp.blogspot.com/-txq7gf83B1w/WLmht32I-UI/AAAAAAAAB6g/nAhUfeDntIcj-7HsQ6uNH1atGugrr7NugCLcB/s1600/Screenshot%2Bfrom%2B2017-03-04%2B00-02-28.png)

\----------------------------------------------------------  
Thanks for reading  
\--------------------------------------------------------------------------  
Security Research  
SecurityLab - Linux Lab -- Window and Cisco Lab  
to be continued - I will update more.

Nam Habach

Experience in folder monitoring with OSSEC