Guys , any comments ? On Fri, Dec 18, 2015 at 7:06 PM, Nishant Porwal <[email protected]> wrote:
> Hi Santiago/Dan, > > Thanks for the inputs ,i am able to track the changes. > One more suggestion is needed , > > I want to track the file changes and need to alert only on specific > changes . > Example : - > > File : - memory.cfg > > Content : - > > ************************************************* > > *Server* : 1.2.3.4 > *Port *: 8080,80,9090,28443,23 > *Services *: Telnet,SSH, FTPD, > *log_alert *: Yes > *log_memory *: Yes > *log_system *: Yes > *log_application *: Yes > *log_tomcat* : Yes > > ************************************************* > > Reuirement is : - > > If any changes have been done in parameters *Server* ,*Port ,**Services ,* > *log_tomcat* notify to certain email , else if *log_alert ,**log_memory > ,* > *log_application ,**log_system *have been changed don't notify . > > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett < > [email protected]> wrote: > >> More comments: >> >> 1.When file have been changed ? >> Use realtime option (kernel needs to support inotify, most recent ones do) >> >> 2.Who have changed it ? >> No easy way to do this. I would use Audit tools and parse their output >> with an OSSEC decoder/rules (I think those would need to be created). >> >> 3.What have been changed ? >> >> As Dan mentioned, report_changes. Only works on text files (doesn't make >> sense for binaries). >> >> 4.Notify on certain changes . >> >> What do you mean? Permission changes, ownership changes are reported by >> syscheck too. >> >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp) <[email protected]> wrote: >> >>> >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" <[email protected]> >>> wrote: >>> > >>> > Hi Guys , >>> > >>> > I need to monitor approx 50 config and flat files on 20 servers , >>> means 1000 files . >>> > >>> > My requirement is below . >>> > >>> > 1.When file have been changed ? >>> > 2.Who have changed it ? >>> >>> No one has come up with a way to do this through syscheck yet. >>> >>> > 3.What have been changed ? >>> > 4.Notify on certain changes . >>> > >>> > Most important part id "What have been changed " >>> > >>> >>> Report_changes I think is the option you want. >>> >>> > All are linux servers . >>> > >>> > OSSEC can help here ? >>> > I couldn't find anything in documentation specifying about "what have >>> beeen changed " . >>> > >>> > >>> > Thanks >>> > Nishant >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks n Regards > Nishant Porwal > 09527916969 > -- Thanks n Regards Nishant Porwal 09527916969 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
