Thank you for your suggestion. But we don’t want to monitor the OSSEC log files. For PCI we have to monitor the normal server and application logs. The requirement is that an alert is generated if a log file is changed. Real time monitoring would do exactly that. Besides if new entries are added to the log file at the bottom there no alert should be generated.
According to the documentation we know that it is only possible to monitor directories and not log files. So the plan is to monitor the log directory. We had Samhain in place before and switched last year to OSSEC. Maybe Samhain can handle this issue, but nothing else worked reliable with Samhain. We are very pleased with OSSEC and would never switch back. So the feature described above is the only thing that we cannot get working On Wednesday, September 19, 2012 12:59:37 PM UTC+2, Andreas Lang wrote: > > Hello, > > We have some questions regarding analysing log files with OSSEC referring > to the log file requirements in PCI-DSS 10.5.5. > > PCI DSS 10.5.5.: > *Use file-integrity monitoring or change-detection software on logs to > ensure that existing log data cannot be changed without generating alerts > (although new data being added should not cause an alert).* > > To cover this issue we wanted to enable real-time monitoring on our log > file directories. Unfortunately we are getting this error: > Ignoring flag for real time monitoring on directory: '/data/' > > Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. > We are using OSSEC 2.5 for clients and server. I know, that for real-time > monitoring the tool inotify-tools must be installed, but unfortunately this > didn’t resolve the issue. > Do you have any suggestions have we can make the real-time monitoring of > growing log files working correctly? > > Thank you very much in advantage > > Regards. > > Andreas Lang > >
