Thanks Dan,
I have that option, And its working but problem is its dumping full
iptables -L -n output on my email alerts. I want only diff output of
particular changes in iptables. Do you know what i am saying ?
<!-- Monitoring firewall rules -->
<rule id="100004" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'iptables -S</match>
<check_diff />
<description>Change made to iptables</description>
</rule>
On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote:
> It should be possible. Try adding <check_diff /> to the rule.
>
> More info:
> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/
>
> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> wrote:
>> Thanks dan,
>>
>> Is it possible i get diff output of my iptables command? Currently its
>> dumping full output. it would be good if we have only diff output.
>>
>> -S
>>
>>
>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote:
>>> There is no setting to do what you want. You'll have to dig into the source.
>>>
>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> wrote:
>>>> Hey Guys!
>>>>
>>>> I am monitoring iptable output and doing check_diff to compare and
>>>> alert but somehow i am getting half output of "iptables -L -n" I knew
>>>> there is a limit of email alert output.
>>>>
>>>> can we increase limit ?
>>>>
>>>> -S
>>>>
>>>
>>
>
