I believe you're referring to this rule (# 592 in my case):
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match>
<description>Log file size reduced.</description>
<group>attacks,</group>
</rule>
I understand this correctly, I don't need to do anything – this rule is
active by default!
Thanks,
Lars
PS. Of course this rule only provides limited protection against
tampering, since a smart hacker could easily make sure the file is
longer after he is done tampering with it.
On 3/25/2011 2:55 PM, Tanishk Lakhaani wrote:
ion of logs from the log file, an alert, with alert I'd 510 created woith the heading --
"Log File Size Reduced". And adding if any logs is the same as modifying the
logs...just put this log file ubder the syscheck part in the ossec agent.conf
