On Fri, Dec 18, 2015 at 8:36 AM, Nishant Porwal <[email protected]> wrote: > Hi Santiago/Dan, > > Thanks for the inputs ,i am able to track the changes. > One more suggestion is needed , > > I want to track the file changes and need to alert only on specific changes > . > Example : - > > File : - memory.cfg > > Content : - > > ************************************************* > > Server : 1.2.3.4 > Port : 8080,80,9090,28443,23 > Services : Telnet,SSH, FTPD, > log_alert : Yes > log_memory : Yes > log_system : Yes > log_application : Yes > log_tomcat : Yes > > ************************************************* > > Reuirement is : - > > If any changes have been done in parameters Server ,Port ,Services > ,log_tomcat notify to certain email , else if log_alert ,log_memory , > log_application ,log_system have been changed don't notify . >
I don't know of a way to watch for changes in certain parts of a a file. > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett > <[email protected]> wrote: >> >> More comments: >> >> 1.When file have been changed ? >> Use realtime option (kernel needs to support inotify, most recent ones do) >> >> 2.Who have changed it ? >> No easy way to do this. I would use Audit tools and parse their output >> with an OSSEC decoder/rules (I think those would need to be created). >> >> 3.What have been changed ? >> >> As Dan mentioned, report_changes. Only works on text files (doesn't make >> sense for binaries). >> >> 4.Notify on certain changes . >> >> What do you mean? Permission changes, ownership changes are reported by >> syscheck too. >> >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp) <[email protected]> wrote: >>> >>> >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" <[email protected]> >>> wrote: >>> > >>> > Hi Guys , >>> > >>> > I need to monitor approx 50 config and flat files on 20 servers , means >>> > 1000 files . >>> > >>> > My requirement is below . >>> > >>> > 1.When file have been changed ? >>> > 2.Who have changed it ? >>> >>> No one has come up with a way to do this through syscheck yet. >>> >>> > 3.What have been changed ? >>> > 4.Notify on certain changes . >>> > >>> > Most important part id "What have been changed " >>> > >>> >>> Report_changes I think is the option you want. >>> >>> > All are linux servers . >>> > >>> > OSSEC can help here ? >>> > I couldn't find anything in documentation specifying about "what have >>> > beeen changed " . >>> > >>> > >>> > Thanks >>> > Nishant >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Thanks n Regards > Nishant Porwal > 09527916969 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
