If I may jump in. We were wondering the same thing how ossec accomplishes it- but obviously it is currently not implemented- we will setup the "shrinking" log file detection.
>From a technical perspective, at least for text based log files a continuous diff could lead to the desired result (by ignoring / whitelisting any content that is added). Ludwig On Thursday, September 20, 2012 3:54:24 PM UTC+2, Michael Starks wrote: > > On 20.09.2012 02:22, Andreas Lang wrote: > > > log @ minute4, tampering: User1 entry is deleted / modified, but size > > 3k due to growing logfile: > > > > Minute 2: Some other logging > > Minute 3: Some other logging > > Minute 4: Some other logging > > I agree that this would be ideal, but can any solution do this for a > running log file? I would seriously be interested to know. The only way > I can think of is to monitor which process is ordinarily writing to the > file and look for writes from any other account with auditd or something > along those lines. Again, it's not fool-proof, but sometimes good enough > is good enough. >
