vim typically saves the file to a new inode. In this instance OSSEC generally detects that the log file was rotated, and may re-check all of the log messages in the log file.
On Fri, Mar 4, 2011 at 11:08 AM, Nate Woodward <[email protected]> wrote: > Hi, > > I'm trying to get OSSEC to detect data deletion in log files. The page > at http://www.ossec.net/doc/manual/monitoring/index.html indicates that > log monitoring is done in real time, and ossec_rules.xml has these > rules: > > > <!-- File rotation/reducded rules --> > <rule id="591" level="3"> > <if_sid>500</if_sid> > <match>^ossec: File rotated </match> > <description>Log file rotated.</description> > </rule> > > <rule id="592" level="8"> > <if_sid>500</if_sid> > <match>^ossec: File size reduced</match> > <description>Log file size reduced.</description> > <group>attacks,</group> > </rule> > > <rule id="593" level="9"> > <if_sid>500</if_sid> > <match>^ossec: Event log cleared</match> > <description>Microsoft Event log cleared.</description> > <group>logs_cleared,</group> > </rule> > > > When I open up a log file in vim, delete a few lines and save it, rule > 592 doesn't trigger. Am I doing something wrong? Does real-time log > monitoring include the rules above, or do those rules only trigger when > syscheck is run (at which time the log would have grown bigger than what > it was before, despite my deletions)? > > How can I ensure log file integrity? > > -Nate >
