Thank you very much Peter M. Abraham for the feedback!
the situation is a little be more complicated... There are backup-images (DiskDump / dd available, taken immediately after installation (and several others taken later when the system was already in use). At this point of time OSSEC was/ist not installed. Question: Is it possible to loopback-mount such dd-images, write an OSSEC rule and have OSSEC compared it with the actual system state (OSSEC is now installed and does monitor) ? Thank's a lot for any feedback! John Peter M. Abraham schrieb: > Greetings John: > > If there are log files on the systems for which you would deploy ossec > which keep that information, yes, ossec can monitor it. > > Thank you. >
