Thanks Santiago , i will do some tests and let you know the results . On Wed, Dec 23, 2015 at 9:47 AM, Santiago Bassett < [email protected]> wrote:
> You can probably do that using Rootcheck rules. > > > For example, to alert if "Server: 1.2.3.4" line has been modified, you > could use a rule like this: > > > [Memory configuration check - Server different than 1.2.3.4] [any] > > f:/etc/memory.cfg -> !r:^# && r:^Server && !r::1.2.3.4; > > > You would need to create rules for those lines you want to monitor. > > > I hope that helps, > > Santiago. > > > > On Mon, Dec 21, 2015 at 4:49 AM, dan (ddp) <[email protected]> wrote: > >> On Fri, Dec 18, 2015 at 8:36 AM, Nishant Porwal >> <[email protected]> wrote: >> > Hi Santiago/Dan, >> > >> > Thanks for the inputs ,i am able to track the changes. >> > One more suggestion is needed , >> > >> > I want to track the file changes and need to alert only on specific >> changes >> > . >> > Example : - >> > >> > File : - memory.cfg >> > >> > Content : - >> > >> > ************************************************* >> > >> > Server : 1.2.3.4 >> > Port : 8080,80,9090,28443,23 >> > Services : Telnet,SSH, FTPD, >> > log_alert : Yes >> > log_memory : Yes >> > log_system : Yes >> > log_application : Yes >> > log_tomcat : Yes >> > >> > ************************************************* >> > >> > Reuirement is : - >> > >> > If any changes have been done in parameters Server ,Port ,Services >> > ,log_tomcat notify to certain email , else if log_alert ,log_memory , >> > log_application ,log_system have been changed don't notify . >> > >> >> I don't know of a way to watch for changes in certain parts of a a file. >> >> > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett >> > <[email protected]> wrote: >> >> >> >> More comments: >> >> >> >> 1.When file have been changed ? >> >> Use realtime option (kernel needs to support inotify, most recent ones >> do) >> >> >> >> 2.Who have changed it ? >> >> No easy way to do this. I would use Audit tools and parse their output >> >> with an OSSEC decoder/rules (I think those would need to be created). >> >> >> >> 3.What have been changed ? >> >> >> >> As Dan mentioned, report_changes. Only works on text files (doesn't >> make >> >> sense for binaries). >> >> >> >> 4.Notify on certain changes . >> >> >> >> What do you mean? Permission changes, ownership changes are reported by >> >> syscheck too. >> >> >> >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp) <[email protected]> wrote: >> >>> >> >>> >> >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" <[email protected]> >> >>> wrote: >> >>> > >> >>> > Hi Guys , >> >>> > >> >>> > I need to monitor approx 50 config and flat files on 20 servers , >> means >> >>> > 1000 files . >> >>> > >> >>> > My requirement is below . >> >>> > >> >>> > 1.When file have been changed ? >> >>> > 2.Who have changed it ? >> >>> >> >>> No one has come up with a way to do this through syscheck yet. >> >>> >> >>> > 3.What have been changed ? >> >>> > 4.Notify on certain changes . >> >>> > >> >>> > Most important part id "What have been changed " >> >>> > >> >>> >> >>> Report_changes I think is the option you want. >> >>> >> >>> > All are linux servers . >> >>> > >> >>> > OSSEC can help here ? >> >>> > I couldn't find anything in documentation specifying about "what >> have >> >>> > beeen changed " . >> >>> > >> >>> > >> >>> > Thanks >> >>> > Nishant >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> >>> email to [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > Thanks n Regards >> > Nishant Porwal >> > 09527916969 >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Thanks n Regards Nishant Porwal 09527916969 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
