Also there are three ossec users 'ossec', 'ossecm', and 'ossecr'. Which one is the writing done under?
On Monday, January 12, 2015 at 1:13:04 PM UTC-6, Chris Decker wrote: > > You'd want to add a filter to the end of the rule. For example: > -F euid!=505 (or whatever the appropriate UID is for your OSSEC account) > > On Mon, Jan 12, 2015 at 1:48 PM, <[email protected] <javascript:>> wrote: > >> I am looking into auditd and that seems to be the route I want to go. >> What would the rule be for the folder /var/ossec/logs/ that excludes the >> OSSEC user? >> >> On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote: >>> >>> Yes - I currently monitor a few log files for 'writes' using auditd and >>> I have OSSEC configured to generate alerts. Be aware, though, that the >>> auditd logs are multiline logs with a variable number of lines, thus OSSEC >>> cannot stitch 'events' together using the common ID (though from the >>> placeholders in the OSSEC documentation it looks like this feature may be >>> coming in OSSEC 2.9) and give you information like the user ID that wrote >>> to the file. >>> >>> On Mon, Jan 12, 2015 at 12:00 PM, <[email protected]> wrote: >>> >>>> Would auditd also send its logs to the OSSEC alert system? >>>> >>>> On Monday, January 12, 2015 at 10:52:25 AM UTC-6, Chris Decker wrote: >>>>> >>>>> You could configure *auditd* to monitor for reads/writes to >>>>> /var/ossec/logs and included a filter to exclude the OSSEC UID. >>>>> >>>>> On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) <[email protected]> wrote: >>>>> >>>>>> On Mon, Jan 12, 2015 at 11:23 AM, <[email protected]> wrote: >>>>>> > All other log files aggregate into OSSEC. The auditor wants these >>>>>> logs on >>>>>> > the OSSEC server to be logged as well. I just cannot find anyone >>>>>> else that >>>>>> > could do this. >>>>>> > >>>>>> >>>>>> So no other logs have this requirement? That's kinda silly. >>>>>> Have you tried contacting your mystery OS's vendor? Perhaps they know >>>>>> of a solution. >>>>>> >>>>>> > On Monday, January 12, 2015 at 10:22:05 AM UTC-6, dan (ddpbsd) >>>>>> wrote: >>>>>> >> >>>>>> >> On Mon, Jan 12, 2015 at 11:17 AM, <[email protected]> wrote: >>>>>> >> > Sadly no they did not. They just want notices if the files >>>>>> change. But >>>>>> >> > to >>>>>> >> > log access to said files causes a infinite loop of alerts. >>>>>> >> > >>>>>> >> >>>>>> >> How is this handled for other log files? >>>>>> >> >>>>>> >> > On Monday, January 12, 2015 at 9:55:48 AM UTC-6, dan (ddpbsd) >>>>>> wrote: >>>>>> >> >> >>>>>> >> >> On Mon, Jan 12, 2015 at 10:36 AM, Christopher Dangerfield >>>>>> >> >> <[email protected]> wrote: >>>>>> >> >> > After going through a security audit with my current employer >>>>>> >> >> > something >>>>>> >> >> > came >>>>>> >> >> > up that I cannot figure out how to solve. No one online seems >>>>>> to have >>>>>> >> >> > ran >>>>>> >> >> > into this. The auditor wants us to log and alert access to the >>>>>> >> >> > /var/ossec/logs folder. I can do this, but every alert >>>>>> creates a log >>>>>> >> >> > change >>>>>> >> >> > thus creates another alert and log change, etc, etc, etc. Has >>>>>> anyone >>>>>> >> >> > ever >>>>>> >> >> > had to do this and cold help me? >>>>>> >> >> > >>>>>> >> >> >>>>>> >> >> Did the auditors have any suggestions? >>>>>> >> >> >>>>>> >> >> > -- >>>>>> >> >> > Chris >>>>>> >> >> > >>>>>> >> >> > -- >>>>>> >> >> > >>>>>> >> >> > --- >>>>>> >> >> > You received this message because you are subscribed to the >>>>>> Google >>>>>> >> >> > Groups >>>>>> >> >> > "ossec-list" group. >>>>>> >> >> > To unsubscribe from this group and stop receiving emails from >>>>>> it, >>>>>> >> >> > send >>>>>> >> >> > an >>>>>> >> >> > email to [email protected]. >>>>>> >> >> > For more options, visit https://groups.google.com/d/optout. >>>>>> >> > >>>>>> >> > -- >>>>>> >> > >>>>>> >> > --- >>>>>> >> > You received this message because you are subscribed to the >>>>>> Google >>>>>> >> > Groups >>>>>> >> > "ossec-list" group. >>>>>> >> > To unsubscribe from this group and stop receiving emails from >>>>>> it, send >>>>>> >> > an >>>>>> >> > email to [email protected]. >>>>>> >> > For more options, visit https://groups.google.com/d/optout. >>>>>> > >>>>>> > -- >>>>>> > >>>>>> > --- >>>>>> > You received this message because you are subscribed to the Google >>>>>> Groups >>>>>> > "ossec-list" group. >>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>> send an >>>>>> > email to [email protected]. >>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
