Hi Jesus,
This is a file which I am being using in my lab server for testing. The same sha1sum messages are coming for files monitored, hence we were planning to suppress any alerts with only sha1sum changes. Thanks Kumar On 18-Apr-2017 17:39, "Jesus Linares" <je...@wazuh.com> wrote: > Hi Kumar, > > what is the */home/sysuser/message* directory?. It looks like a syslog > file, so you shouldn't configure syscheck in that directory. > > I hope it helps. > Regards. > > On Monday, April 17, 2017 at 5:09:15 PM UTC+2, Kumar G wrote: >> >> Hi Team, >> >> In our ossec environment we are getting lots of sha1sum alerts (even >> though its not configured) and that are irrelevant to us. Is there any way >> to suppress these alerts? >> >> ** Alert 1491577582.15621: mail - ossec,syscheck, >> >> 2017 Apr 07 10:06:22 inssys01->syscheck >> >> Rule: 550 (level 7) -> 'Integrity checksum changed.' >> >> Integrity checksum changed for: '/home/sysuser/message' >> >> Old sha1sum was: '1e8e7937157db3ec01ad59dea488b4a9febf49f7' >> >> New sha1sum is : 'xxx' >> >> >> >> ** Alert 1491577958.15840: mail - ossec,syscheck, >> >> 2017 Apr 07 10:12:38 inssys01->syscheck >> >> Rule: 550 (level 7) -> 'Integrity checksum changed.' >> >> Integrity checksum changed for: '/home/sysuser/message' >> >> Old sha1sum was: 'xxx' >> >> New sha1sum is : '1e8e7937157db3ec01ad59dea488b4a9febf49f7' >> >> Since the integrity checksum sometimes have other FIM checks also >> alerted, we need to suppress only when we have the sha1sum alerts are >> triggered. >> >> >> Will we be able to accomplish this with the help of decoders / rules >> addition? >> >> >> >> Thanks >> Kumar >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
