There's a rule for when a log is rotated, so I'm guessing it might fire if the log file was cleared. If the logfile is modified and it changes inodes ossec may start over with the file. If it doesn't change inodes I don't think any alerts will happen. Some kind of file got smaller syscheck alert might be useful.
On Thu, Sep 2, 2010 at 6:27 PM, jplee3 <[email protected]> wrote: > Hey all, > > I need syscheck to monitor for if a log file was tampered with (zeroed > out or modified/edited). Right now it seems that if you have syscheck > monitor a log file for this purpose, it will generate tons of 'false > positives' because log files are pretty dynamically changed/rotated. > > Anyway to have OSSEC check if someone was trying to edit the file > though? > > > > Thanks! > jeremy
