As this is something that has been asked for a few times, but I don't fully understand the use case for this feature. Could you explain your need for syscheck monitoring of log files? Thank you,
Sent from my iPhone On Sep 3, 2010, at 1:23 PM, jplee3 <[email protected]> wrote: > Thanks Dan... is there a "got smaller" syscheck alert? Or, if I wanted > to venture into adding something of my own, is there a file syscheck > parameters live? I checked ossec_rules and I see references to > "decoded as" however when I look at the decoder.xml, I don't see > anything regarding "syscheck" > > On Sep 2, 6:52 pm, "dan (ddp)" <[email protected]> wrote: >> There's a rule for when a log is rotated, so I'm guessing it might >> fire if the log file was cleared. >> If the logfile is modified and it changes inodes ossec may start over >> with the file. If it doesn't change inodes I don't think any alerts >> will happen. >> Some kind of file got smaller syscheck alert might be useful. >> >> On Thu, Sep 2, 2010 at 6:27 PM, jplee3 <[email protected]> wrote: >>> Hey all, >> >>> I need syscheck to monitor for if a log file was tampered with (zeroed >>> out or modified/edited). Right now it seems that if you have syscheck >>> monitor a log file for this purpose, it will generate tons of 'false >>> positives' because log files are pretty dynamically changed/rotated. >> >>> Anyway to have OSSEC check if someone was trying to edit the file >>> though? >> >>> Thanks! >>> jeremy
