Hi everyone, I my OSSEC test setup I tried to trigger an alert for downsizing a logfile. I chose /var/log/secure; I oppened it in vim and manually deleted some lines. When scaning happened I started received lots of errors that has nothing to do with the lines I removed; it seems that OSSEC treated the file as a new file.... Or something like that and sent alerts for each line it founded in the /var/log/secure. The lines I removed were:
rsyslogd: -- MARK -- rsyslogd: -- MARK -- rsyslogd: -- MARK -- rsyslogd: -- MARK -- The messages received were like: OSSEC HIDS Notification. 2010 May 25 16:37:34 Received From: (client1) 10.5.5.204->/var/log/secure Rule: 5902 fired (level 8) -> "New user added to the system" Portion of the log(s): 2010-02-09T11:06:18.260151+02:00 localhost useradd[17911]: new user: name=apache, UID=81, GID=81, home=/var/www, shell=/sbin/nologin --END OF NOTIFICATION The events above, about the new user apache are indeed in the secure logfile; Is this normal for OSSEC behaviour or am I missing something? Thanks, Adi
