Thanks for the info. BTW: is there a certain rule that would do this? The only reservation I would have about this is if we're dealing with files that contain keys that are never/rarely supposed to change where the keys are not supposed to be replicated around or in plain view. It seems that OSSEC already creates a copy of the file.
So if I get an email alert detailing the changes, and the change happened to be of the actual key, for example, a copy of that key will now exist in my email. Am I missing something here? I guess there are certain things that probably aren't a good idea to report changes on in certain scenarios. On Dec 6, 1:54 pm, Joe Gedeon <[email protected]> wrote: > If you have a rule set up to alert when files are changed the changes > will also be shown in the alert. > > On Mon, Dec 6, 2010 at 16:17, jplee3 <[email protected]> wrote: > > Hey guys, > > > Is there a specific command or flag in agent_control or > > syscheck_control that will display the actual changes to a file where > > report_changes was set to "yes" ? > > > Or do I just have to go into the "/var/ossec/queue/diff/local/*" > > directory and view the changed files myself? > > > Thanks! > > -- > Registered Linux User # 379282
