Thanks Michael, I have FIM on so I'll have to get that set for alerting. However, I realized we have Snoopy installed on this box, so I'm basically just pointing OSSEC to watch the Snoopy log locally. I already created a decoder for Snoopy and just had to create some rules to filter based on certain matches.
I think this may do the trick. On Thu, Jun 23, 2011 at 6:53 PM, Michael Starks < [email protected]> wrote: > On 06/23/2011 06:23 PM, jplee3 wrote: > > Is there a 'built-in' feature that can be set to notify if a certain >> client(s) was removed from this file? >> >> Otherwise, I'm thinking I should setup file integrity monitoring as >> well as a<localfile>full_command</**localfile> with a command that will >> easily let me see what may have changed. >> > > There's nothing built-in. Using a file integrity check is a good idea. Be > careful of check_diff since that would email the keys in the clear. Using > the command output as you suggested is a good idea since you could awk/grep > them out. >
