Like many folks, I'm using OSSEC to support PCI requirements. I'm very, very pleased with OSSEC and it has automated many things more efficiently than our previous more manual-methods. There's one PCI requirement that I haven't found a way to address with OSSEC: monitoring log files for truncation.
PCI Requirement 10.5.5: Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) Perhaps this is a new feature request, but it would be helpful for OSSEC to detect when a log file has gotten smaller (they're always supposed to get bigger). This would be slightly different than the current "ignore" option. I understand that typical "log rotation" would create a new, zero-byte logfile. I am OK if this generated an alert, because they I could decide to set the level of the alert and be able to correlate it to my regularly-scheduled log rotation. But being able to tell my PCI assessors that I monitor critical logs files for unexpected truncation every X minutes would be important.
