Am 29.06.2016 um 20:30 schrieb dan (ddp):
On Wed, Jun 29, 2016 at 1:59 PM, Andreas Piesk <[email protected]> wrote:
Hello list,
is it possible to use OSSEC as FIM to check system files and application
files with separate notifications?
Changed system files should be reported to email address 1, changed
application files to email address 2.
Any ideas are appreciated.
You can probably create child rules to alert on system files, and then
use the granular email options to send those alerts to a different
email.
A lot of it would probably revolve around how you define system vs
application files.
I define it by location, /etc, /usr/, etc. belongs to system, /app would
be application.
I tried something like that:
<rule id="100002" level="15">
<if_matched_group>syscheck</if_matched_group>
<match>/etc</match>
<description>System object has changed!</description>
<group>syscheck_system</group>
</rule>
<rule id="100002" level="15">
<if_matched_group>syscheck</if_matched_group>
<match>/app</match>
<description>App object has changed!</description>
<group>syscheck_app1</group>
</rule>
<!-- alert for system events -->
<email_alerts>
<email_to>[email protected]</email_to>
<group>syscheck_system</group>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- alert for syscheck events for application objects-->
<email_alerts>
<email_to>[email protected]</email_to>
<group>syscheck_app1</group>
</email_alerts>
But it doesn't seem to work, i don'get any alerts, hmmpf.
Regards.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
