Look at the granular email options. Although, I think it'll have to be sent to the global email address as well.
On Tue, Apr 26, 2011 at 5:17 PM, satish patel <[email protected]> wrote: > Thanks for update! let me try cron and see how it goes. > > Also is it possible i can send this iptable changes notification to > particular person rather then everyone. I mean rules specific > alerting.. > > -S > > > > On Tue, Apr 26, 2011 at 4:39 PM, dan (ddp) <[email protected]> wrote: >> Yes, it'll give you the diff. >> The cron is why I said this is a stupid solution. ;) >> >> You could potentially setup a full_command to do the: >> "iptables -nL > /var/iptables_check/current 2>&1" >> >> The output from that command should never change (it should always be >> blank), so I'm hoping it wouldn't trigger any alerts. >> >> On Sat, Apr 23, 2011 at 7:23 PM, Satish Patel <[email protected]> wrote: >>> Hey Dan, >>> >>> You mean to say this way it will only give diff out put in alert right? >>> >>> But you know this way I have to maintain external crontab. >>> >>> -- >>> Sent from my iPhone >>> >>> On Apr 23, 2011, at 1:56 PM, "dan (ddp)" <[email protected]> wrote: >>> >>>> Stupid solution: >>>> Periodically "iptables -nL > /var/iptables_check/current" >>>> And syscheck that directory with something like: >>>> <directories realtime="yes" report_changes="yes" >>>> check_all="yes">/var/iptables_check</directories> >>>> >>>> On Fri, Apr 22, 2011 at 5:01 PM, dan (ddp) <[email protected]> wrote: >>>>> >>>>> I know what you're saying, and I thought the check_diff option did >>>>> that. My mistake. >>>>> If not, I don't think there's a way to do it. >>>>> >>>>> On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]> >>>>> wrote: >>>>>> >>>>>> Thanks Dan, >>>>>> >>>>>> I have that option, And its working but problem is its dumping full >>>>>> iptables -L -n output on my email alerts. I want only diff output of >>>>>> particular changes in iptables. Do you know what i am saying ? >>>>>> >>>>>> <!-- Monitoring firewall rules --> >>>>>> <rule id="100004" level="10"> >>>>>> <if_sid>530</if_sid> >>>>>> <match>ossec: output: 'iptables -S</match> >>>>>> <check_diff /> >>>>>> <description>Change made to iptables</description> >>>>>> </rule> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote: >>>>>>> >>>>>>> It should be possible. Try adding <check_diff /> to the rule. >>>>>>> >>>>>>> More info: >>>>>>> >>>>>>> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >>>>>>> >>>>>>> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Thanks dan, >>>>>>>> >>>>>>>> Is it possible i get diff output of my iptables command? Currently its >>>>>>>> dumping full output. it would be good if we have only diff output. >>>>>>>> >>>>>>>> -S >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote: >>>>>>>>> >>>>>>>>> There is no setting to do what you want. You'll have to dig into the >>>>>>>>> source. >>>>>>>>> >>>>>>>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hey Guys! >>>>>>>>>> >>>>>>>>>> I am monitoring iptable output and doing check_diff to compare and >>>>>>>>>> alert but somehow i am getting half output of "iptables -L -n" I >>>>>>>>>> knew >>>>>>>>>> there is a limit of email alert output. >>>>>>>>>> >>>>>>>>>> can we increase limit ? >>>>>>>>>> >>>>>>>>>> -S >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>> >> >
