Hello.
>From your experience with OSSEC, which way would you best (in terms of less
false-positive-emails) implement "log files integrity checks"? It should
provide checks to make sure log files are not being tampered with, either
old log files or those being used.
For the sake of discussion, let's presume the following:
- all log files are kept in /var/log
- some files are being rotated by logrotate (rotated, archived and kept for
X days)
- some files are being rotated by cron jobs (due to the nature of the
logging taking place)
- some files are not rotated at all (manually when need be, in case they
grow by 1-2 KB per month or less)
What do you think is the best configuration for the agent's syscheck
subsystem and server's setup?
The agent's syscheck should have an entry like this:
<directories realtime="yes" check_all="yes">/var/log</directories>
but the above line would send alot of false positives because:
- current logs change size - This might be corrected by the auto_ignore
setting on the server.
- a cronjob rotated file would have one file grow steadily (the "collector"
logfile) and one file be random size depending on the check time (the "being
processed" logfile)
> example. imagine a logfile that gets alot of data, like 1 MB / sec.
Since the actually relevand data is just part of all that log data, a
cronjob would periodically run (like every 30-60 seconds) and extract the
information from that file (the "being processed" log) and append it to
another file (the "collector" file), then truncate the "being processed"
logfile.
- log files that get very little data in them once in a while will also
trigger an alert since they don't change that fast to be ignored (via
auto_ignore in the server).
I guess a solution would be to ignore the currently in use log file, but
that would be against the purpose of "log file integrity checking". And
besides, once a new logfile is added on the system (after installing a new
service for instance) that file should be added to the ignore list.
So, what are your thoughts / experiences on this scenarios?
Thank you for your time.
