Hi Alex,

I don't think PCI requires that. Can you point where it says that? In addition
to that, I don't think there is any tool that can guarantee the integrity of a
log file (specially via syslog)...

However, as soon as the log is written, ossec reads them and forwards
to a remote
system (the ossec server), where the event is stored/analyzed in a (hopefully)
safer place. So, even if one system is hacked, the logs are still safe in the
ossec server.

In addition to that, as an extra precaution, the agent will alert if
the size of a log
file is reduced or the file is rotated during monitoring... An alert
will look like:

2009 Feb 08 18:31:15 brrkey->ossec-logcollector
Rule: 591 (level 3) -> 'Log file rotated.'
ossec: File rotated (inode changed): '/var/log/messages'.


Daniel B. Cid
dcid ( at ) ossec.net

On Thu, Jan 29, 2009 at 1:12 PM, Alex Alexiou <aalex...@targetsite.com> wrote:
> Hi,
> I have been exploring ossec for use in a PCI environment. One of the
> requirements that we've been given is file-integrity checking for log files,
> which I'm not sure ossec can do; I'm assuming it does not put log files into
> the default integrity-checking options because they change size by
> definition. I did read about log file signing, but it appears that this
> would only work with old logs. I tested this by altering the current
> /var/log/secure log of a machine with the ossec agent, and it didn't seem to
> notice anything in particular amiss. Anyone know if there's any way to do
> this in ossec, or do I need to use a separate tool such as syslog-ng for
> this?

Reply via email to