Yea I know what u mean. But a couple of days ago i modified a file(I think it was the /etc/group file)...syscheck fired a lvl 7 alert like 2 min later...it detected a modified file...havent tried a reduced logfile yet. also can u tell me what log file did u use?
On Mon, 2011-03-07 at 13:31 -0600, Nate Woodward wrote: > > > -----Original Message----- > > From: gutsy gibbon [mailto:[email protected]] > > Sent: Monday, March 07, 2011 12:52 PM > > To: ossec-list > > Subject: [ossec-list] Re: Deletion of log data > > > > what log file did u open with vim...make sure that the log > > file u open is included in the ossec.conf file and just to > > I made sure I was modifying a logfile that is being monitored. > > > make sure the rule works reduce the 6 hr syscheck thing...get > > it to run right after u edit the file.. > > I'll give this a try, but assuming the rule does work (it's one of the > rules that ships with OSSEC, after all), how do I make sure log > tampering will be detected no matter what? The OSSEC book says the time > between syschecks has a minimum frequency of an hour, and I can't > exactly ask crackers to only tamper with my logs X minutes after the top > of the hour. > > > > > On Mar 6, 10:54 am, "Tanishk Lakhaani" <[email protected]> wrote: > > > I think it checks for the same only at the time of running > > syscheck, bcoz at that time it tries to compare it with the > > database it has already made during pre-scan mode. > > > > > > Regards > > > Tanishk Lakhaani > > > Sent from BlackBerry® on Airtel > > > > > > -----Original Message----- > > > From: "Nate Woodward" <[email protected]> > > > > > > Sender: [email protected] > > > Date: Fri, 4 Mar 2011 10:08:51 > > > To: ossec-list<[email protected]> > > > Reply-To: [email protected] > > > Subject: [ossec-list] Deletion of log data > > > > > > Hi, > > > > > > I'm trying to get OSSEC to detect data deletion in log > > files. The page > > > > > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicates that > > > log monitoring is done in real time, and ossec_rules.xml has these > > > rules: > > > > > > <!-- File rotation/reducded rules --> > > > <rule id="591" level="3"> > > > <if_sid>500</if_sid> > > > <match>^ossec: File rotated </match> > > > <description>Log file rotated.</description> > > > </rule> > > > > > > <rule id="592" level="8"> > > > <if_sid>500</if_sid> > > > <match>^ossec: File size reduced</match> > > > <description>Log file size reduced.</description> > > > <group>attacks,</group> > > > </rule> > > > > > > <rule id="593" level="9"> > > > <if_sid>500</if_sid> > > > <match>^ossec: Event log cleared</match> > > > <description>Microsoft Event log cleared.</description> > > > <group>logs_cleared,</group> > > > </rule> > > > > > > When I open up a log file in vim, delete a few lines and > > save it, rule > > > 592 doesn't trigger. Am I doing something wrong? Does real-time log > > > monitoring include the rules above, or do those rules only trigger > > > when syscheck is run (at which time the log would have grown bigger > > > than what it was before, despite my deletions)? > > > > > > How can I ensure log file integrity? > > > > > > -Nate > > > >
