You'd want to add a filter to the end of the rule. For example: -F euid!=505 (or whatever the appropriate UID is for your OSSEC account)
On Mon, Jan 12, 2015 at 1:48 PM, <[email protected]> wrote: > I am looking into auditd and that seems to be the route I want to go. What > would the rule be for the folder /var/ossec/logs/ that excludes the OSSEC > user? > > On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote: >> >> Yes - I currently monitor a few log files for 'writes' using auditd and I >> have OSSEC configured to generate alerts. Be aware, though, that the >> auditd logs are multiline logs with a variable number of lines, thus OSSEC >> cannot stitch 'events' together using the common ID (though from the >> placeholders in the OSSEC documentation it looks like this feature may be >> coming in OSSEC 2.9) and give you information like the user ID that wrote >> to the file. >> >> On Mon, Jan 12, 2015 at 12:00 PM, <[email protected]> wrote: >> >>> Would auditd also send its logs to the OSSEC alert system? >>> >>> On Monday, January 12, 2015 at 10:52:25 AM UTC-6, Chris Decker wrote: >>>> >>>> You could configure *auditd* to monitor for reads/writes to >>>> /var/ossec/logs and included a filter to exclude the OSSEC UID. >>>> >>>> On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) <[email protected]> wrote: >>>> >>>>> On Mon, Jan 12, 2015 at 11:23 AM, <[email protected]> wrote: >>>>> > All other log files aggregate into OSSEC. The auditor wants these >>>>> logs on >>>>> > the OSSEC server to be logged as well. I just cannot find anyone >>>>> else that >>>>> > could do this. >>>>> > >>>>> >>>>> So no other logs have this requirement? That's kinda silly. >>>>> Have you tried contacting your mystery OS's vendor? Perhaps they know >>>>> of a solution. >>>>> >>>>> > On Monday, January 12, 2015 at 10:22:05 AM UTC-6, dan (ddpbsd) wrote: >>>>> >> >>>>> >> On Mon, Jan 12, 2015 at 11:17 AM, <[email protected]> wrote: >>>>> >> > Sadly no they did not. They just want notices if the files >>>>> change. But >>>>> >> > to >>>>> >> > log access to said files causes a infinite loop of alerts. >>>>> >> > >>>>> >> >>>>> >> How is this handled for other log files? >>>>> >> >>>>> >> > On Monday, January 12, 2015 at 9:55:48 AM UTC-6, dan (ddpbsd) >>>>> wrote: >>>>> >> >> >>>>> >> >> On Mon, Jan 12, 2015 at 10:36 AM, Christopher Dangerfield >>>>> >> >> <[email protected]> wrote: >>>>> >> >> > After going through a security audit with my current employer >>>>> >> >> > something >>>>> >> >> > came >>>>> >> >> > up that I cannot figure out how to solve. No one online seems >>>>> to have >>>>> >> >> > ran >>>>> >> >> > into this. The auditor wants us to log and alert access to the >>>>> >> >> > /var/ossec/logs folder. I can do this, but every alert creates >>>>> a log >>>>> >> >> > change >>>>> >> >> > thus creates another alert and log change, etc, etc, etc. Has >>>>> anyone >>>>> >> >> > ever >>>>> >> >> > had to do this and cold help me? >>>>> >> >> > >>>>> >> >> >>>>> >> >> Did the auditors have any suggestions? >>>>> >> >> >>>>> >> >> > -- >>>>> >> >> > Chris >>>>> >> >> > >>>>> >> >> > -- >>>>> >> >> > >>>>> >> >> > --- >>>>> >> >> > You received this message because you are subscribed to the >>>>> Google >>>>> >> >> > Groups >>>>> >> >> > "ossec-list" group. >>>>> >> >> > To unsubscribe from this group and stop receiving emails from >>>>> it, >>>>> >> >> > send >>>>> >> >> > an >>>>> >> >> > email to [email protected]. >>>>> >> >> > For more options, visit https://groups.google.com/d/optout. >>>>> >> > >>>>> >> > -- >>>>> >> > >>>>> >> > --- >>>>> >> > You received this message because you are subscribed to the Google >>>>> >> > Groups >>>>> >> > "ossec-list" group. >>>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>>> send >>>>> >> > an >>>>> >> > email to [email protected]. >>>>> >> > For more options, visit https://groups.google.com/d/optout. >>>>> > >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the Google >>>>> Groups >>>>> > "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an >>>>> > email to [email protected]. >>>>> > For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
