Hi,
I'm trying to get OSSEC to detect data deletion in log files. The page
at http://www.ossec.net/doc/manual/monitoring/index.html indicates that
log monitoring is done in real time, and ossec_rules.xml has these
rules:
<!-- File rotation/reducded rules -->
<rule id="591" level="3">
<if_sid>500</if_sid>
<match>^ossec: File rotated </match>
<description>Log file rotated.</description>
</rule>
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match>
<description>Log file size reduced.</description>
<group>attacks,</group>
</rule>
<rule id="593" level="9">
<if_sid>500</if_sid>
<match>^ossec: Event log cleared</match>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,</group>
</rule>
When I open up a log file in vim, delete a few lines and save it, rule
592 doesn't trigger. Am I doing something wrong? Does real-time log
monitoring include the rules above, or do those rules only trigger when
syscheck is run (at which time the log would have grown bigger than what
it was before, despite my deletions)?
How can I ensure log file integrity?
-Nate
