what log file did u open with vim...make sure that the log file u open is included in the ossec.conf file and just to make sure the rule works reduce the 6 hr syscheck thing...get it to run right after u edit the file..
On Mar 6, 10:54 am, "Tanishk Lakhaani" <[email protected]> wrote: > I think it checks for the same only at the time of running syscheck, bcoz at > that time it tries to compare it with the database it has already made during > pre-scan mode. > > Regards > Tanishk Lakhaani > Sent from BlackBerry® on Airtel > > -----Original Message----- > From: "Nate Woodward" <[email protected]> > > Sender: [email protected] > Date: Fri, 4 Mar 2011 10:08:51 > To: ossec-list<[email protected]> > Reply-To: [email protected] > Subject: [ossec-list] Deletion of log data > > Hi, > > I'm trying to get OSSEC to detect data deletion in log files. The page > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicates that > log monitoring is done in real time, and ossec_rules.xml has these > rules: > > <!-- File rotation/reducded rules --> > <rule id="591" level="3"> > <if_sid>500</if_sid> > <match>^ossec: File rotated </match> > <description>Log file rotated.</description> > </rule> > > <rule id="592" level="8"> > <if_sid>500</if_sid> > <match>^ossec: File size reduced</match> > <description>Log file size reduced.</description> > <group>attacks,</group> > </rule> > > <rule id="593" level="9"> > <if_sid>500</if_sid> > <match>^ossec: Event log cleared</match> > <description>Microsoft Event log cleared.</description> > <group>logs_cleared,</group> > </rule> > > When I open up a log file in vim, delete a few lines and save it, rule > 592 doesn't trigger. Am I doing something wrong? Does real-time log > monitoring include the rules above, or do those rules only trigger when > syscheck is run (at which time the log would have grown bigger than what > it was before, despite my deletions)? > > How can I ensure log file integrity? > > -Nate
