Yes! You're right. It seems that indeed the inode is changed when I use vim to edit a file.... nano does not do this! I was not thinking to that, although now it seems obvious, because I knew that editing the content of a file will not modify the inode... looks like vim is "special" this way...
Thanks, Adi -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, May 25, 2010 7:29 PM To: [email protected] Subject: Re: [ossec-list] deleting lines in logfile secure Did the inode location of the file change after deleting the lines? On Tue, May 25, 2010 at 11:06 AM, Adi CHIRU <[email protected]> wrote: > Hi everyone, > > > > I my OSSEC test setup I tried to trigger an alert for downsizing a logfile. > I chose /var/log/secure; I oppened it in vim and manually deleted some > lines. > > When scaning happened I started received lots of errors that has nothing to > do with the lines I removed; it seems that OSSEC treated the file as a new > file.. Or something like that and sent alerts for each line it founded in > the /var/log/secure. > > The lines I removed were: > > > > rsyslogd: -- MARK -- > > rsyslogd: -- MARK -- > > rsyslogd: -- MARK -- > > rsyslogd: -- MARK -- > > > > The messages received were like: > > > > OSSEC HIDS Notification. > > 2010 May 25 16:37:34 > > > > Received From: (client1) 10.5.5.204->/var/log/secure > > Rule: 5902 fired (level 8) -> "New user added to the system" > > Portion of the log(s): > > > > 2010-02-09T11:06:18.260151+02:00 localhost useradd[17911]: new user: > name=apache, UID=81, GID=81, home=/var/www, shell=/sbin/nologin > > > > > > > > --END OF NOTIFICATION > > > > The events above, about the new user apache are indeed in the secure > logfile; > > Is this normal for OSSEC behaviour or am I missing something? > > > > Thanks, > > Adi
