ok...ill reply round about the same time tomorrow let me get my stupid WEB UI working. and meanwhile i'll try the ones u did and see if syscheck does any thing at all
On Mon, 2011-03-07 at 14:15 -0600, Nate Woodward wrote: > Hi Gurtaj, > > > -----Original Message----- > > From: Gurtaj Singh [mailto:[email protected]] > > Sent: Monday, March 07, 2011 1:49 PM > > To: [email protected] > > Subject: RE: [ossec-list] Re: Deletion of log data > > > > Yea I know what u mean. > > But a couple of days ago i modified a file(I think it was the > > /etc/group file)...syscheck fired a lvl 7 alert like 2 min > > later...it detected a modified file...havent tried a reduced > > logfile yet. > > also can u tell me what log file did u use? > > I tried both maillog and messages. > > > > > > > On Mon, 2011-03-07 at 13:31 -0600, Nate Woodward wrote: > > > > > > > -----Original Message----- > > > > From: gutsy gibbon [mailto:[email protected]] > > > > Sent: Monday, March 07, 2011 12:52 PM > > > > To: ossec-list > > > > Subject: [ossec-list] Re: Deletion of log data > > > > > > > > what log file did u open with vim...make sure that the log file u > > > > open is included in the ossec.conf file and just to > > > > > > I made sure I was modifying a logfile that is being monitored. > > > > > > > make sure the rule works reduce the 6 hr syscheck > > thing...get it to > > > > run right after u edit the file.. > > > > > > I'll give this a try, but assuming the rule does work (it's > > one of the > > > rules that ships with OSSEC, after all), how do I make sure log > > > tampering will be detected no matter what? The OSSEC book says the > > > time between syschecks has a minimum frequency of an hour, > > and I can't > > > exactly ask crackers to only tamper with my logs X minutes > > after the > > > top of the hour. > > > > > > > > > > > On Mar 6, 10:54 am, "Tanishk Lakhaani" > > <[email protected]> wrote: > > > > > I think it checks for the same only at the time of running > > > > syscheck, bcoz at that time it tries to compare it with > > the database > > > > it has already made during pre-scan mode. > > > > > > > > > > Regards > > > > > Tanishk Lakhaani > > > > > Sent from BlackBerry on Airtel > > > > > > > > > > -----Original Message----- > > > > > From: "Nate Woodward" <[email protected]> > > > > > > > > > > Sender: [email protected] > > > > > Date: Fri, 4 Mar 2011 10:08:51 > > > > > To: ossec-list<[email protected]> > > > > > Reply-To: [email protected] > > > > > Subject: [ossec-list] Deletion of log data > > > > > > > > > > Hi, > > > > > > > > > > I'm trying to get OSSEC to detect data deletion in log > > > > files. The page > > > > > > > > > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicates > > > > that > > > > > log monitoring is done in real time, and > > ossec_rules.xml has these > > > > > rules: > > > > > > > > > > <!-- File rotation/reducded rules --> > > > > > <rule id="591" level="3"> > > > > > <if_sid>500</if_sid> > > > > > <match>^ossec: File rotated </match> > > > > > <description>Log file rotated.</description> > > > > > </rule> > > > > > > > > > > <rule id="592" level="8"> > > > > > <if_sid>500</if_sid> > > > > > <match>^ossec: File size reduced</match> > > > > > <description>Log file size reduced.</description> > > > > > <group>attacks,</group> > > > > > </rule> > > > > > > > > > > <rule id="593" level="9"> > > > > > <if_sid>500</if_sid> > > > > > <match>^ossec: Event log cleared</match> > > > > > <description>Microsoft Event log cleared.</description> > > > > > <group>logs_cleared,</group> > > > > > </rule> > > > > > > > > > > When I open up a log file in vim, delete a few lines and > > > > save it, rule > > > > > 592 doesn't trigger. Am I doing something wrong? Does real-time > > > > > log monitoring include the rules above, or do those rules only > > > > > trigger when syscheck is run (at which time the log would have > > > > > grown bigger than what it was before, despite my deletions)? > > > > > > > > > > How can I ensure log file integrity? > > > > > > > > > > -Nate > > > > > > > > > > > > > > > > >
