And one more question: how ossec work with it's logs?
Should i add to to ossec.conf something like this, or ossec send it's log
messages direct, without using logfiles ?
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/ossec.log</location>
</localfile>
In file rules/ossec_rules.xml we can found this definitions:
<rule id="509" level="0">
<category>ossec</category>
<decoded_as>rootcheck</decoded_as>
<description>Rootcheck event.</description>
<group>rootcheck,</group>
</rule>
<rule id="510" level="7">
<if_sid>509</if_sid>
<description>Host-based anomaly detection event
(rootcheck).</description>
<group>rootcheck,</group>
<if_fts />
</rule>
<rule id="515" level="0">
<if_sid>510</if_sid>
<match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
<match>^Starting syscheck scan|^Ending syscheck scan.</match>
<description>Ignoring rootcheck/syscheck scan messages.</description>
<group>rootcheck,syscheck</group>
</rule>
Why 515 rule depends on 510 ?
Is this an error ?
понедельник, 22 февраля 2016 г., 17:37:18 UTC+3 пользователь
[email protected] написал:
>
> Hello!
> I want to send only changed filenames, like it in email(see below) ?
>
> Is there're any way, to avoid waiting rule 515 with "Ending syscheck scan"
> and parse all logs by hands ?
>
> Thank you!
>
> ---------- email message with aggregation multiple events to a single
> email ----------------
> OSSEC HIDS Notification.
> 2016 Feb 22 06:10:15
>
> Received From: serv-10244->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/home/woodwork/public_html/
> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5
> 4e/%%10^10D^10D3B5F4%%import_export.tpl.php'
> Old md5sum was: 'dceb399d30e95119919656e661204554'
> New md5sum is : '81245ed3dd02f3406eb8a2fed54d9942'
> Old sha1sum was: '7d76c4a8134f64290c14706f15e7c7a28256fc51'
> New sha1sum is : '539cf636a958d88a3e8f1f8fbb468716a9a0a6d1'
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2016 Feb 22 06:10:15
>
> Received From: serv-10244->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/home/woodwork/public_html/
> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5
> 4e/%%C3^C39^C3917CB7%%zipcode.tpl.php.md5'
> Old md5sum was: '893a40c51c7f8bf5be98319a30c05a18'
> New md5sum is : '94a2aab9fc50d05b6838e2bff772ee75'
> Old sha1sum was: '092003613f24ac04e5214dc24d1dcb0494dbca03'
> New sha1sum is : 'ed5607668955e07bedc7529f1f18843e174fdcf1'
>
>
>
> --END OF NOTIFICATION
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
