Hi,
Please can you assist
Is it possible to get OSSEC to send alerts as soon as a file gets
changed? This file was changed at 16h05 but the alert only came through
at 17h27
snip
ls -al /etc/group
-rw-r--r-- 1 root root 986 2009-05-26 16:05 /etc/group
/snip
Regards,
Here is a clip of the ossec.conf on that server:
localfile
locationSystem/location
log_formateventlog/log_format
/localfile
localfile
locationC:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log/location
log_formatsyslog/log_format
/localfile
localfile
I'm using an older version of centos, and I do not believe inotify is
available. I installed the inotify-tools package. I modified the
syscheckd code to use the inotify.h (and inotify-nosys.h) that come
with inotify-tools, but that wasn't enough. I get the ERROR: Unable
to initialize inotify
Hey,
If you enabled active-response during the install it should block brute force
attacks automatically (just like denyhosts and fail2ban).
As far as nginx, I never used so I can't give more information...
However, if it logs
in the same format as apache (NSCA), ossec should handle it fine.
I think you should. I received an email alert for one of my agentless
systems (dd-wrt on soho router) last night when /etc/resolv.conf
changed.
dan
On Thu, May 28, 2009 at 12:04 PM, Derrick Farmer dfar...@vertek.com wrote:
Daniel,
Thank you. I think I have it working now and I understand
Installed the snapshot on my ossec server, restarted the ossec service on the
windows server that is running dhcp too, results in log from windows server:
2009/05/28 13:46:15 ossec-execd(1350): INFO: Active response disabled. Exiting.
2009/05/28 13:46:15 ossec-agent(1410): INFO: Reading
I really appreciate having that confirmed -- thanks. I did enable
active-response.
About nginx, if its logs are in the same format location as apache's
(which I think is the case), would I need to do anything else?
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
Just to clarify my last question...
You said that ossec should handle nginx fine if its logs are the same
format as apache (and I think they are)... so what I meant to ask in my
last message is, given this assumption about the format, did you mean
that ossec would then handle the nginx logs