Yes. Running the agentless command displays the full configuration. It's only when the diff shows changes and OSSEC emails the alert, it is truncated.
On Oct 3, 7:53 pm, "dan (ddp)" <[email protected]> wrote: > On Fri, Sep 30, 2011 at 4:11 PM, JamesH <[email protected]> wrote: > > Hello, > > > Integrity checksum alerts from our ssh_pixconfig_diff only email a few > > lines of diff followed by "More changes.." Is there anyway to receive > > the entire diff? I haven't found any. > > If you run the script by hand, do you get all of the output? > > > > > > > > > Also, on a similar topic: > > Is there anyway to write rules that would trigger based on the conents > > of that diff? The "ossec" group rules are kind of a black box. I don't > > know what they are decoding (no log source), so I don't know if I can > > use ossec-logtest to test. Any ideas?
