I am new to OSSEC, but I do not see how to tell syscheck to only report
when a log file is modified as opposed to added to. In other words, I
am looking for a way to detect tampering with log files.
Could you provide more details?
Lars
On 3/24/2011 12:54 PM, Gurtaj Singh wrote:
use syscheck on those logs
i suppose thats ur best bet
On Thu, 2011-03-24 at 12:26 -0700, Lars Oberg wrote:
Hello,
How can I configure ossec to alert me if somebody tampers with a log file?
In other words, I do not want to get alerts anytime something is added
to the log, but I want to get alerts if existing contents in the log
file is modified or deleted.
Thanks,
Lars
