Hi Andreas, enable "logall" option in ossec.conf. You will see the all events in /var/ossec/logs/archives/archives.log. Syscheck events look like: "Integrity checksum changed for: '/path1/path2/path3/file.ext'". So, you could create a rule like:
<rule id="100001" level="0"> <if_group>syscheck</if_group> <match>for: '/etc</match> <description>Syscheck: /etc alert</description> </rule> Regards. On Friday, July 1, 2016 at 8:21:54 PM UTC+2, Andreas Piesk wrote: > > Am 29.06.2016 um 20:30 schrieb dan (ddp): > > On Wed, Jun 29, 2016 at 1:59 PM, Andreas Piesk <a.p...@gmx.net > <javascript:>> wrote: > >> Hello list, > >> > >> is it possible to use OSSEC as FIM to check system files and > application > >> files with separate notifications? > >> > >> Changed system files should be reported to email address 1, changed > >> application files to email address 2. > >> > >> Any ideas are appreciated. > >> > > > > You can probably create child rules to alert on system files, and then > > use the granular email options to send those alerts to a different > > email. > > A lot of it would probably revolve around how you define system vs > > application files. > > > > I define it by location, /etc, /usr/, etc. belongs to system, /app would > be application. > > I tried something like that: > > <rule id="100002" level="15"> > <if_matched_group>syscheck</if_matched_group> > <match>/etc</match> > <description>System object has changed!</description> > <group>syscheck_system</group> > </rule> > > <rule id="100002" level="15"> > <if_matched_group>syscheck</if_matched_group> > <match>/app</match> > <description>App object has changed!</description> > <group>syscheck_app1</group> > </rule> > > <!-- alert for system events --> > <email_alerts> > <email_to>ma...@foo.bar</email_to> > <group>syscheck_system</group> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > <!-- alert for syscheck events for application objects--> > <email_alerts> > <email_to>ma...@foo.bar</email_to> > <group>syscheck_app1</group> > </email_alerts> > > But it doesn't seem to work, i don'get any alerts, hmmpf. > > Regards. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.