Hi again, About getting a list of all modified files, you can execute syscheck_control binary to get a list of file by agent,day:
/var/ossec/bin/syscheck_control -i AGENTID So your active-response script can periodically check that command output and look for today changes, the bad thing about this command is you need to filter for one specific agent. Other approach like you said, it is detect when syscheck start and end, then capture the rules regarding to syscheck between start and end, I think that could be difficult, what do you think about installing an ELK Cluster ? Using Kibana your users could check easily file integrity changes. Syscheck alert mechanism is mostly hardcoded on OSSEC, email alerts template is hardcoded too, to change the template of syscheck integrity alert you will need to modify C code (here <https://github.com/wazuh/ossec-wazuh/blob/6c2325e5f45b25adbaccc02ac1977c75c4a56599/src/analysisd/decoders/syscheck.c> ) Daniel Cid release some weeks ago an integrator, this integrator can connect to Slack and forward some alerts, check the full info here: OSSEC Integrator <https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html>, we are merging this funcionallity right now on Wazuh fork. <https://github.com/wazuh/ossec-wazuh> On Monday, February 22, 2016 at 4:02:12 PM UTC+1, [email protected] wrote: > > 1. I want to change text for the alert, my users can't understand what is > checksum, they want to know only list of changed files :) > 2. Some of users want to receive notifications via slack. At the moment, i > work on active-responce script, that receive information from logs and send > some notifications to users. > 3. So my question is: What is the best way to collect all syscheck alerts > and send them it one message by my active-responce (or integration script) > > i see this scenario: > 1. create temp file on "Starting syscheck scan" event > 2. on each 550-554 rule filename of changed files to temp file > 3. On "Ending syscheck scan" event send file to a customer. > > Is it good solution, or there is better way. > > Thank you for your answers, Pedro! > > Pedro S: >> >> Hi, >> >> Let me know if I understood right, do you want OSSEC to only send emails >> related to syscheck notifications? If it is so, try to add a granular >> option on email notifications, you can use "group" setting in your email >> alerts configuration. >> Open and modify ossec.conf file at OSSEC Manager and add the following >> lines: >> >> <email_alerts> <email_to>[email protected]</email_to> >> <group>syscheck</group></email_alerts> >> >> >> Restart your manager to apply changes. Now OSSEC will only forward >> "syscheck" alerts. >> >> More info: >> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html >> >> >> I do not understand what you mean with rule 515 and "Ending rootcheck >> scan", please be more specific. >> >> Regards, >> >> Pedro S. >> >> On Monday, February 22, 2016 at 3:37:18 PM UTC+1, [email protected] wrote: >>> >>> Hello! >>> I want to send only changed filenames, like it in email(see below) ? >>> >>> Is there're any way, to avoid waiting rule 515 with "Ending syscheck >>> scan" >>> and parse all logs by hands ? >>> >>> Thank you! >>> >>> ---------- email message with aggregation multiple events to a single >>> email ---------------- >>> OSSEC HIDS Notification. >>> 2016 Feb 22 06:10:15 >>> >>> Received From: serv-10244->syscheck >>> Rule: 550 fired (level 7) -> "Integrity checksum changed." >>> Portion of the log(s): >>> >>> Integrity checksum changed for: '/home/woodwork/public_html/ >>> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >>> 4e/%%10^10D^10D3B5F4%%import_export.tpl.php' >>> Old md5sum was: 'dceb399d30e95119919656e661204554' >>> New md5sum is : '81245ed3dd02f3406eb8a2fed54d9942' >>> Old sha1sum was: '7d76c4a8134f64290c14706f15e7c7a28256fc51' >>> New sha1sum is : '539cf636a958d88a3e8f1f8fbb468716a9a0a6d1' >>> >>> >>> >>> --END OF NOTIFICATION >>> >>> >>> >>> OSSEC HIDS Notification. >>> 2016 Feb 22 06:10:15 >>> >>> Received From: serv-10244->syscheck >>> Rule: 550 fired (level 7) -> "Integrity checksum changed." >>> Portion of the log(s): >>> >>> Integrity checksum changed for: '/home/woodwork/public_html/ >>> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >>> 4e/%%C3^C39^C3917CB7%%zipcode.tpl.php.md5' >>> Old md5sum was: '893a40c51c7f8bf5be98319a30c05a18' >>> New md5sum is : '94a2aab9fc50d05b6838e2bff772ee75' >>> Old sha1sum was: '092003613f24ac04e5214dc24d1dcb0494dbca03' >>> New sha1sum is : 'ed5607668955e07bedc7529f1f18843e174fdcf1' >>> >>> >>> >>> --END OF NOTIFICATION >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
