Hey Dan,
You mean to say this way it will only give diff out put in alert right?
But you know this way I have to maintain external crontab.
--
Sent from my iPhone
On Apr 23, 2011, at 1:56 PM, "dan (ddp)" <[email protected]> wrote:
Stupid solution:
Periodically "iptables -nL > /var/iptables_check/current"
And syscheck that directory with something like:
<directories realtime="yes" report_changes="yes"
check_all="yes">/var/iptables_check</directories>
On Fri, Apr 22, 2011 at 5:01 PM, dan (ddp) <[email protected]> wrote:
I know what you're saying, and I thought the check_diff option did
that. My mistake.
If not, I don't think there's a way to do it.
On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]>
wrote:
Thanks Dan,
I have that option, And its working but problem is its dumping full
iptables -L -n output on my email alerts. I want only diff output of
particular changes in iptables. Do you know what i am saying ?
<!-- Monitoring firewall rules -->
<rule id="100004" level="10">
<if_sid>530</if_sid>
<match>ossec: output: 'iptables -S</match>
<check_diff />
<description>Change made to iptables</description>
</rule>
On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote:
It should be possible. Try adding <check_diff /> to the rule.
More info:
http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/
On Fri, Apr 22, 2011 at 4:28 PM, satish patel
<[email protected]> wrote:
Thanks dan,
Is it possible i get diff output of my iptables command?
Currently its
dumping full output. it would be good if we have only diff output.
-S
On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]>
wrote:
There is no setting to do what you want. You'll have to dig
into the source.
On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]
> wrote:
Hey Guys!
I am monitoring iptable output and doing check_diff to compare
and
alert but somehow i am getting half output of "iptables -L -
n" I knew
there is a limit of email alert output.
can we increase limit ?
-S
