Hi Santiago/Dan, Thanks for the inputs ,i am able to track the changes. One more suggestion is needed ,
I want to track the file changes and need to alert only on specific changes . Example : - File : - memory.cfg Content : - ************************************************* *Server* : 1.2.3.4 *Port *: 8080,80,9090,28443,23 *Services *: Telnet,SSH, FTPD, *log_alert *: Yes *log_memory *: Yes *log_system *: Yes *log_application *: Yes *log_tomcat* : Yes ************************************************* Reuirement is : - If any changes have been done in parameters *Server* ,*Port ,**Services ,* *log_tomcat* notify to certain email , else if *log_alert ,**log_memory ,* *log_application ,**log_system *have been changed don't notify . On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett <[email protected] > wrote: > More comments: > > 1.When file have been changed ? > Use realtime option (kernel needs to support inotify, most recent ones do) > > 2.Who have changed it ? > No easy way to do this. I would use Audit tools and parse their output > with an OSSEC decoder/rules (I think those would need to be created). > > 3.What have been changed ? > > As Dan mentioned, report_changes. Only works on text files (doesn't make > sense for binaries). > > 4.Notify on certain changes . > > What do you mean? Permission changes, ownership changes are reported by > syscheck too. > > On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp) <[email protected]> wrote: > >> >> On Dec 6, 2015 11:01 AM, "Nishant Porwal" <[email protected]> >> wrote: >> > >> > Hi Guys , >> > >> > I need to monitor approx 50 config and flat files on 20 servers , means >> 1000 files . >> > >> > My requirement is below . >> > >> > 1.When file have been changed ? >> > 2.Who have changed it ? >> >> No one has come up with a way to do this through syscheck yet. >> >> > 3.What have been changed ? >> > 4.Notify on certain changes . >> > >> > Most important part id "What have been changed " >> > >> >> Report_changes I think is the option you want. >> >> > All are linux servers . >> > >> > OSSEC can help here ? >> > I couldn't find anything in documentation specifying about "what have >> beeen changed " . >> > >> > >> > Thanks >> > Nishant >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Thanks n Regards Nishant Porwal 09527916969 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
