We have a situation in which nagios, to do it's nrpe checks, has to constantly read the /var/log/syslog. Therefore, we constantly have alerts at level 3 such as:
Rule: 5502 (level 3) -> 'Login session closed.' Rule: 5501 (level 3) -> 'Login session opened.' which involve sessions opening and closing for user root (as the nagios user sudo's to read the syslog file). We don't want to have to whitelist these types of alerts as we want to have warning if someone escalates their privileges. Therefore, is it acceptable to have nagios user added to the adm group as the adm group can read the syslog file? What are the right ways to solve this? Cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
