Hello, I would like to create a composite rule, to have an alert each time a file that im monitoring with syscheck has changed in my two server where i have installed ossec agent, for example earlier i got this alert:
** Alert 1426630985.6877: mail - ossec,syscheck, > 2015 Mar 15 23:23:05 (myhostname) 192.168.**.**->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Integrity checksum changed for: '/home/user/mydocument.h' > Size changed from '88910' to '28754' > Old md5sum was: '*****' > New md5sum is : '******' > Old sha1sum was: '****' > New sha1sum is : '****' > > I create the next rule, but i not sure how to indicate there must to be the same file, in that case is '/home/user/mydocument.h' but could be any other. <rule id="100099" frequency="2" timeframe="900" level="10"> > <if_sid>550</if_sid> > <description>Integrity checksum changed in several > machines</description> > <group>syscheck,</group> > </rule> > I assume will be with different hostname because otherway we´d had an alert with rule 551 (Integrity checksum changed again (2nd time)) Sorry for my english, i hope you understood me good. Regards JoaoT. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
