I think it checks for the same only at the time of running syscheck, bcoz at 
that time it tries to compare it with the database it has already made during 
pre-scan mode.


Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel

-----Original Message-----
From: "Nate Woodward" <[email protected]>
Sender: [email protected]
Date: Fri, 4 Mar 2011 10:08:51 
To: ossec-list<[email protected]>
Reply-To: [email protected]
Subject: [ossec-list] Deletion of log data

Hi,

I'm trying to get OSSEC to detect data deletion in log files. The page 
at http://www.ossec.net/doc/manual/monitoring/index.html indicates that 
log monitoring is done in real time, and ossec_rules.xml has these 
rules:


  <!-- File rotation/reducded rules -->
  <rule id="591" level="3">
    <if_sid>500</if_sid>
    <match>^ossec: File rotated </match>
    <description>Log file rotated.</description>
  </rule>
  
  <rule id="592" level="8">
    <if_sid>500</if_sid>
    <match>^ossec: File size reduced</match>
    <description>Log file size reduced.</description>
    <group>attacks,</group>
  </rule>

  <rule id="593" level="9">
    <if_sid>500</if_sid>
    <match>^ossec: Event log cleared</match>
    <description>Microsoft Event log cleared.</description>
    <group>logs_cleared,</group>
  </rule>


When I open up a log file in vim, delete a few lines and save it, rule 
592 doesn't trigger. Am I doing something wrong? Does real-time log 
monitoring include the rules above, or do those rules only trigger when 
syscheck is run (at which time the log would have grown bigger than what 
it was before, despite my deletions)?

How can I ensure log file integrity?

-Nate

Reply via email to