I think it checks for the same only at the time of running syscheck, bcoz at that time it tries to compare it with the database it has already made during pre-scan mode.
Regards Tanishk Lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: "Nate Woodward" <[email protected]> Sender: [email protected] Date: Fri, 4 Mar 2011 10:08:51 To: ossec-list<[email protected]> Reply-To: [email protected] Subject: [ossec-list] Deletion of log data Hi, I'm trying to get OSSEC to detect data deletion in log files. The page at http://www.ossec.net/doc/manual/monitoring/index.html indicates that log monitoring is done in real time, and ossec_rules.xml has these rules: <!-- File rotation/reducded rules --> <rule id="591" level="3"> <if_sid>500</if_sid> <match>^ossec: File rotated </match> <description>Log file rotated.</description> </rule> <rule id="592" level="8"> <if_sid>500</if_sid> <match>^ossec: File size reduced</match> <description>Log file size reduced.</description> <group>attacks,</group> </rule> <rule id="593" level="9"> <if_sid>500</if_sid> <match>^ossec: Event log cleared</match> <description>Microsoft Event log cleared.</description> <group>logs_cleared,</group> </rule> When I open up a log file in vim, delete a few lines and save it, rule 592 doesn't trigger. Am I doing something wrong? Does real-time log monitoring include the rules above, or do those rules only trigger when syscheck is run (at which time the log would have grown bigger than what it was before, despite my deletions)? How can I ensure log file integrity? -Nate
