Hi, W.r.t any deletion of logs from the log file, an alert, with alert I'd 510 created woith the heading -- "Log File Size Reduced". And adding if any logs is the same as modifying the logs...just put this log file ubder the syscheck part in the ossec agent.conf
Regards Tanishk Lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: Lars Oberg <[email protected]> Sender: [email protected] Date: Thu, 24 Mar 2011 13:57:05 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] Alerts on log file modified, but not if added to I am new to OSSEC, but I do not see how to tell syscheck to only report when a log file is modified as opposed to added to. In other words, I am looking for a way to detect tampering with log files. Could you provide more details? Lars On 3/24/2011 12:54 PM, Gurtaj Singh wrote: > use syscheck on those logs > i suppose thats ur best bet > > > On Thu, 2011-03-24 at 12:26 -0700, Lars Oberg wrote: >> Hello, >> >> How can I configure ossec to alert me if somebody tampers with a log file? >> >> In other words, I do not want to get alerts anytime something is added >> to the log, but I want to get alerts if existing contents in the log >> file is modified or deleted. >> >> Thanks, >> Lars >> >
