On Mon, Nov 25, 2013 at 5:51 PM, funwithossec <[email protected]> wrote: > All, > I need to have ossec detect changes to files and then send emails to > specific groups when it detects said changes. I have had great success when > the file is a specific file but in order to complete my task I have to set > up rules to match changes on file types such as .war, .sh or .config. > > For example, I have this set up and working on my version 2.7 Ossec server > running on CentOS: > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>100501|100502</rule_id> > <event_location>several of my servers</event_location> > <do_not_delay/> > <do_not_group/> > </email_alerts> > > where: > > <rule id="100501" level="12"> > <if_matched_group>syscheck</if_matched_group> > <match>/file/to/be/watched/ROOT.war</match> > <description>Changes to ROOT.war - Critical file!</description> > </rule> > > <rule id="100502" level="12"> > <if_matched_group>syscheck</if_matched_group> > <match>/file/to/be/watched/blah.war</match> > <description>Changes to blah.war -Critical file!</description> > </rule> > > Rule that I have tried to do that does not work: > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>100501|100502|100503</rule_id> > <event_location>several of my servers</event_location> > <do_not_delay/> > <do_not_group/> > </email_alerts> > > where: > > <rule id="100503" level="12"> > <if_matched_group>syscheck</if_matched_group> > <match type="sregex">/file/to/be/watched/\..config</match>
Does match have an sregex type? I don't remember one,but adding it to the documentation would be quick. Why not <regex>/file/to/be/watched/\.+.config</regex>? > <description>Changes to blah*.config - Critical file!</description> > </rule> > > As soon as I add rule 100503 to my local rules file and restart service > ossec-hids, ossec fails and errors out trying to read this rule file so I > know there is a problem with the rule but I am sure stuck. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
