You can probably script something with syscheck_control. The output seems pretty easy. Or you could look at the syscheck DBs directly, they're plain text.
On Wed, Nov 16, 2011 at 11:17 AM, Christian O'Keefe <[email protected]> wrote: > Preface - I'm new to OSSEC. So be gentle with me, please. A little > background: I've been reviewing my environment's alert emails, and have two > spreadsheets going. One is anomalies that I report to our application and > systems leads for them to investigate, and the other one that is getting > completely out of hand is logging checksum changes. I was asked to to do > this, probably because someone doesn't like me. > > Has anyone done any work with aggregating the data received from the alert > emails generated? Basically, on the checksums front, I have said > spreadsheet indicating how many times specific checksums are changed. This > is very manual and tedious, but we plan on writing rules for specific > checksums. I've been playing around with Outlook and Excel, trying to get > it to export the data to a spreadsheet that I can manipulate, but I can't > seem to get it in a readable format that is even remotely usable. > > I'm wondering if anyone has done something similar, or has another approach > for how you manage checksum changes. > > Thanks in-advance.
