I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and I am not receiving alerts.
I followed: https://blog.wazuh.com/configure-ossec-to-report-changes-in-the-content-of-a-text-file/ but there are no folders in /var/ossec/queue/diff/ (I waited for a while per the instructions)
I can see the Agent is sending alerts in the alert.log on the Server, but it is mainly random messages 'Login session closed', 'Login session opened', etc. but that is it.
Possibly related, I also tried to restart the agent remotely using /var/ossec/bin/agent_control -R agent_id, which appears to execute successfully on the manager, but the ossec.log on the Agent does not show a restart.
I just want to see it doing its thing. Is alerts.log the only way? Everything seems a little unresponsive.
UPDATE: I can see the sudo to root execution when I edit the file in /test (from the link above), so it must be in communicado. Also, it is alerting on ssh login failures. Real-time monitoring is enabled, I set the frequency to 30 seconds, the log alert level is set to 1, and the server and agent have been restarted.
<email_notification>yes</email_notification>
in ossec.conf? Also need MTA like sendmail configured.