Oh, the script uses basic sh run and sh ver - If you want to filter out the ntp offset, you may consider changing the following in your ssh_pixconfig_diff
send "show running-config\r" change to: send "show running-config | grep -v ntp clock-period\r" then test.. but I do think it ossec alert log is showing all the changes. I would have to test with more changes to verify that. On Wednesday, April 8, 2015 at 3:34:26 PM UTC-7, Gaetan Noel wrote: > The one you are running on your switches. I m using "show config". > Actually it might be easier to filter out ntp results. > > Any idea why the syslog output is not showing the full changes ? > On mer. 8 avr. 2015 at 15:36 Brent Morris <[email protected] > <javascript:>> wrote: > >> Yeah, I realized I'm going to get an alert every day for the botnet >> filter license counter too. >> >> Which command are you referring to? >> >> >> On Wednesday, April 8, 2015 at 12:16:22 PM UTC-7, Gaetan Noel wrote: >> >>> Thanks for your help guys. >>> >>> You are right Brett, the alert.log has all the info. The issue I have is >>> with Splunk, everything gets sent via syslog and the event is as I pasted >>> above. For the alert.log here's what I get : >>> >>> *** Alert 1428518183.14013429: - syslog,sshd,recon,* >>> *--* >>> *Rule: 555 (level 7) -> 'Integrity checksum for agentless device >>> changed.'* >>> *ossec: agentless: Change detected:* >>> *1404c1404* >>> *< ntp clock-period 22519145* >>> *---* >>> *> ntp clock-period 22519163* >>> *2806a2807* >>> *> Connection to x.x.x.x closed by remote host.* >>> >>> That script doesn't give me any problem , it seems to work fine. >>> Although I should probably change something so it doesn't alert me for the >>> NTP change. May I ask what command you are running ? >>> >>> Thanks, >>> Gaetan >>> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/oRN7sK-pYb0/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
