Stupid solution: Periodically "iptables -nL > /var/iptables_check/current" And syscheck that directory with something like: <directories realtime="yes" report_changes="yes" check_all="yes">/var/iptables_check</directories>
On Fri, Apr 22, 2011 at 5:01 PM, dan (ddp) <[email protected]> wrote: > I know what you're saying, and I thought the check_diff option did > that. My mistake. > If not, I don't think there's a way to do it. > > On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]> wrote: >> Thanks Dan, >> >> I have that option, And its working but problem is its dumping full >> iptables -L -n output on my email alerts. I want only diff output of >> particular changes in iptables. Do you know what i am saying ? >> >> <!-- Monitoring firewall rules --> >> <rule id="100004" level="10"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'iptables -S</match> >> <check_diff /> >> <description>Change made to iptables</description> >> </rule> >> >> >> >> >> On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote: >>> It should be possible. Try adding <check_diff /> to the rule. >>> >>> More info: >>> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >>> >>> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> wrote: >>>> Thanks dan, >>>> >>>> Is it possible i get diff output of my iptables command? Currently its >>>> dumping full output. it would be good if we have only diff output. >>>> >>>> -S >>>> >>>> >>>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote: >>>>> There is no setting to do what you want. You'll have to dig into the >>>>> source. >>>>> >>>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> wrote: >>>>>> Hey Guys! >>>>>> >>>>>> I am monitoring iptable output and doing check_diff to compare and >>>>>> alert but somehow i am getting half output of "iptables -L -n" I knew >>>>>> there is a limit of email alert output. >>>>>> >>>>>> can we increase limit ? >>>>>> >>>>>> -S >>>>>> >>>>> >>>> >>> >> >
