I have a log collection/correlation engine running on a centralized rsyslog server. I have configured ossec to log to a local rsyslog forwarder in the <syslog_output> stanza of the server's ossec.conf and am seeing rule alerts that fire from the ossec server end up in syslog:
Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location: XXXX->syscheck; Integrity checksum changed for: '/usr/sbin/automount' I have not been seeing any of the change details that appear in email alerts, however. Is there an option to enable checksum or file diff logging to syslog? I'm thinking about something like this: Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location: XXXX->syscheck; Integrity checksum changed for: '/usr/sbin/ automount'; oldsize: '12345'; newsize: '12346'; oldmd5: 'md5checksum'; newmd5: 'md5checksum'; oldsha1: 'sha1checksum'; newsha1: 'sha1checksum' Thanks in advance! Weezel
