On 19.09.2012 09:43, Andreas Lang wrote:
Thank you for your suggestion. But we don’t want to monitor the OSSEC log files. For PCI we have to monitor the normal server and application logs. The requirement is that an alert is generated if a log file is changed. Real time monitoring would do exactly that. Besides if new entries are added to the log file at the bottom there no alert should be generated.
One of us is confused. :) You can monitor normal system logs for nefarious activity *and* get an alert if that file is truncated while running.
