All,
I need to have ossec detect changes to files and then send emails to
specific groups when it detects said changes. I have had great success
when the file is a specific file but in order to complete my task I have to
set up rules to match changes on file types such as .war, .sh or .config.
For example, I have this set up and working on my version 2.7 Ossec server
running on CentOS:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100501|100502</rule_id>
<event_location>several of my servers</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
where:
<rule id="100501" level="12">
<if_matched_group>syscheck</if_matched_group>
<match>/file/to/be/watched/ROOT.war</match>
<description>Changes to ROOT.war - Critical file!</description>
</rule>
<rule id="100502" level="12">
<if_matched_group>syscheck</if_matched_group>
<match>/file/to/be/watched/blah.war</match>
<description>Changes to blah.war -Critical file!</description>
</rule>
Rule that I have tried to do that does not work:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100501|100502|100503</rule_id>
<event_location>several of my servers</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
where:
<rule id="100503" level="12">
<if_matched_group>syscheck</if_matched_group>
<match type="sregex">/file/to/be/watched/\..config</match>
<description>Changes to blah*.config - Critical file!</description>
</rule>
As soon as I add rule 100503 to my local rules file and restart service
ossec-hids, ossec fails and errors out trying to read this rule file so I
know there is a problem with the rule but I am sure stuck.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
