I am also very new to OSSEC, so I am not sure what the next step would be.
Maybe someone else with more OSSEC experience can help on this?
On 3/28/2011 10:21 AM, Nate Woodward wrote:
It just doesn't work for me. If I open a log file with nano (NOT vim, as
it changes the inode of the file) and remove a few lines, OSSEC doesn't
notify me about it.
I haven't had the time to look into it much further than that.
-----Original Message-----
From: Lars Oberg [mailto:[email protected]]
Sent: Monday, March 28, 2011 10:59 AM
To: [email protected]
Subject: Re: [ossec-list] Alerts on log file modified, but
not if added to
No, I have not yet tested it (dealing with another ossec
related issue at the moment). What problem are you coming across?
Lars
On 3/28/2011 7:16 AM, Nate Woodward wrote:
Have you tested whether this rule works? I can't get it to function
correctly.
-----Original Message-----
From: Lars Oberg [mailto:[email protected]]
Sent: Friday, March 25, 2011 8:12 PM
To: [email protected]
Subject: Re: [ossec-list] Alerts on log file modified, but not if
added to
I believe you're referring to this rule (# 592 in my case):
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match> <description>Log
file size
reduced.</description> <group>attacks,</group> </rule>
I understand this correctly, I don't need to do anything
this rule is
active by default!
Thanks,
Lars
PS. Of course this rule only provides limited protection against
tampering, since a smart hacker could easily make sure the file is
longer after he is done tampering with it.
On 3/25/2011 2:55 PM, Tanishk Lakhaani wrote:
ion of logs from the log file, an alert, with alert I'd
510 created
woith the heading -- "Log File Size Reduced". And adding if
any logs
is the same as modifying the logs...just put this log file
ubder the
syscheck part in the ossec agent.conf
