Hi Gurtaj, > -----Original Message----- > From: Gurtaj Singh [mailto:[email protected]] > Sent: Monday, March 07, 2011 1:49 PM > To: [email protected] > Subject: RE: [ossec-list] Re: Deletion of log data > > Yea I know what u mean. > But a couple of days ago i modified a file(I think it was the > /etc/group file)...syscheck fired a lvl 7 alert like 2 min > later...it detected a modified file...havent tried a reduced > logfile yet. > also can u tell me what log file did u use?
I tried both maillog and messages. > > > On Mon, 2011-03-07 at 13:31 -0600, Nate Woodward wrote: > > > > > -----Original Message----- > > > From: gutsy gibbon [mailto:[email protected]] > > > Sent: Monday, March 07, 2011 12:52 PM > > > To: ossec-list > > > Subject: [ossec-list] Re: Deletion of log data > > > > > > what log file did u open with vim...make sure that the log file u > > > open is included in the ossec.conf file and just to > > > > I made sure I was modifying a logfile that is being monitored. > > > > > make sure the rule works reduce the 6 hr syscheck > thing...get it to > > > run right after u edit the file.. > > > > I'll give this a try, but assuming the rule does work (it's > one of the > > rules that ships with OSSEC, after all), how do I make sure log > > tampering will be detected no matter what? The OSSEC book says the > > time between syschecks has a minimum frequency of an hour, > and I can't > > exactly ask crackers to only tamper with my logs X minutes > after the > > top of the hour. > > > > > > > > On Mar 6, 10:54 am, "Tanishk Lakhaani" > <[email protected]> wrote: > > > > I think it checks for the same only at the time of running > > > syscheck, bcoz at that time it tries to compare it with > the database > > > it has already made during pre-scan mode. > > > > > > > > Regards > > > > Tanishk Lakhaani > > > > Sent from BlackBerry on Airtel > > > > > > > > -----Original Message----- > > > > From: "Nate Woodward" <[email protected]> > > > > > > > > Sender: [email protected] > > > > Date: Fri, 4 Mar 2011 10:08:51 > > > > To: ossec-list<[email protected]> > > > > Reply-To: [email protected] > > > > Subject: [ossec-list] Deletion of log data > > > > > > > > Hi, > > > > > > > > I'm trying to get OSSEC to detect data deletion in log > > > files. The page > > > > > > > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicates > > > that > > > > log monitoring is done in real time, and > ossec_rules.xml has these > > > > rules: > > > > > > > > <!-- File rotation/reducded rules --> > > > > <rule id="591" level="3"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: File rotated </match> > > > > <description>Log file rotated.</description> > > > > </rule> > > > > > > > > <rule id="592" level="8"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: File size reduced</match> > > > > <description>Log file size reduced.</description> > > > > <group>attacks,</group> > > > > </rule> > > > > > > > > <rule id="593" level="9"> > > > > <if_sid>500</if_sid> > > > > <match>^ossec: Event log cleared</match> > > > > <description>Microsoft Event log cleared.</description> > > > > <group>logs_cleared,</group> > > > > </rule> > > > > > > > > When I open up a log file in vim, delete a few lines and > > > save it, rule > > > > 592 doesn't trigger. Am I doing something wrong? Does real-time > > > > log monitoring include the rules above, or do those rules only > > > > trigger when syscheck is run (at which time the log would have > > > > grown bigger than what it was before, despite my deletions)? > > > > > > > > How can I ensure log file integrity? > > > > > > > > -Nate > > > > > > > > > >
