Recently, we are trying to use OSSEC to monitor ~/.ssh/authorized_key for
real time. But it seems it only works for system integrity check
periodically, but not real-time, I checked the /var/ossec/queue/diff
folder, it recorded all the changes under that folder, but since .ssh is a
hidden
Recently, we are trying to use OSSEC to monitor files ~/.ssh/authorized_key
for real time, but it seems it can only detect for syscheck, but not real
time. I checked the /var/ossec/queue/diff folder, it recorded all the
changes, but because the .ssh folder is hidden. I can not get real-time
I am new to ossec and I am trying to figure out what is the best way to
change a rule. In the ossec.conf it says this
>
>
> host-deny
> local
> 6
> 600
>
I am assuming the level it is referring to is the level set in the rule.xml
So the sshd_rules.xml has this
Hi,
You have some options to achieve this:
One of them is to increase the rule level. Changing the value at the
original rule would work but I'd recommend you to create a new rule (at
file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing
the rule level:
5700
