[ossec-list] Re: monitor hostname changes

2016-06-06 Thread Francesco Raimondi 
Guys, 

firt of all thank you both for taking the time to answer my question, 
you're awesome!

I should have been clearer though... 99% of my agents are windows-based, so 
I think Victor's solution would be more appropiate. My bad, I forgot to 
specify the OS version :)

Again, thank you very much to both of you!

Frank

Il giorno lunedì 6 giugno 2016 09:59:28 UTC+2, Victor Fernandez ha scritto:
>
> Hi Francesco.
>
> A good way to achieve this is to monitor the command "hostname", adding 
> the following lines to ossec.conf:
>
> 
>   command
>   hostname
>   3600
> 
>
> Then, create a rule like this one, as child of rule 530 (about OSSEC 
> command monitoring), with the option , in order to be 
> alerted only when the hostname changes:
>
> 
>   530
>   output: 'hostname':
>   
>   Hostname changed
> 
>
> Kind regards.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: monitor hostname changes

2016-06-06 Thread Victor Fernandez 
Hi Francesco.

A good way to achieve this is to monitor the command "hostname", adding the 
following lines to ossec.conf:


  command
  hostname
  3600


Then, create a rule like this one, as child of rule 530 (about OSSEC 
command monitoring), with the option , in order to be alerted 
only when the hostname changes:


  530
  output: 'hostname':
  
  Hostname changed


Kind regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: monitor hostname changes

2016-06-06 Thread Jesus Linares 
Hi Francesco,

you can use syscheck to monitor the "hostname files": /etc/hosts, 
/etc/hostname, etc.

Also, you can use commands 
to
 
execute the "hostname" command and compare it with the previous hostname 
using the option *check_diff*. Check out the 
documentation: 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html

Regards.

On Sunday, June 5, 2016 at 7:18:35 PM UTC+2, Francesco Raimondi wrote:
>
> Greetings,
> can ossec monitor hostname modification? I didn't find any rules, nor do I 
> have an idea on how to create one that does it.
>
> Any help or hint into the right direction would be greatly appreciated
> Frank
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.