Guys, firt of all thank you both for taking the time to answer my question, you're awesome!
I should have been clearer though... 99% of my agents are windows-based, so I think Victor's solution would be more appropiate. My bad, I forgot to specify the OS version :) Again, thank you very much to both of you! Frank Il giorno lunedì 6 giugno 2016 09:59:28 UTC+2, Victor Fernandez ha scritto: > > Hi Francesco. > > A good way to achieve this is to monitor the command "hostname", adding > the following lines to ossec.conf: > > <localfile> > <log_format>command</log_format> > <command>hostname</command> > <frequency>3600</frequency> > </localfile> > > Then, create a rule like this one, as child of rule 530 (about OSSEC > command monitoring), with the option <check_diff />, in order to be > alerted only when the hostname changes: > > <rule id="100002" level="3"> > <if_sid>530</if_sid> > <match>output: 'hostname':</match> > <check_diff /> > <description>Hostname changed</description> > </rule> > > Kind regards. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.