Hi Francesco. A good way to achieve this is to monitor the command "hostname", adding the following lines to ossec.conf:
<localfile> <log_format>command</log_format> <command>hostname</command> <frequency>3600</frequency> </localfile> Then, create a rule like this one, as child of rule 530 (about OSSEC command monitoring), with the option <check_diff />, in order to be alerted only when the hostname changes: <rule id="100002" level="3"> <if_sid>530</if_sid> <match>output: 'hostname':</match> <check_diff /> <description>Hostname changed</description> </rule> Kind regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.