Re: [ossec-list] separate notifications

Mon, 04 Jul 2016 01:06:08 -0700 

Hi Andreas,

enable "logall" option in ossec.conf. You will see the all events in 
/var/ossec/logs/archives/archives.log. Syscheck events look like: 
"Integrity checksum changed for: '/path1/path2/path3/file.ext'". So, you 
could create a rule like:

<rule id="100001" level="0">
    <if_group>syscheck</if_group>
    <match>for: '/etc</match>
    <description>Syscheck: /etc alert</description>
</rule>

Regards.

On Friday, July 1, 2016 at 8:21:54 PM UTC+2, Andreas Piesk wrote:
>
> Am 29.06.2016 um 20:30 schrieb dan (ddp): 
> > On Wed, Jun 29, 2016 at 1:59 PM, Andreas Piesk <[email protected] 
> <javascript:>> wrote: 
> >> Hello list, 
> >> 
> >> is it possible to use OSSEC as FIM to check system files and 
> application 
> >> files with separate notifications? 
> >> 
> >> Changed system files should be reported to email address 1, changed 
> >> application files to email address 2. 
> >> 
> >> Any ideas are appreciated. 
> >> 
> > 
> > You can probably create child rules to alert on system files, and then 
> > use the granular email options to send those alerts to a different 
> > email. 
> > A lot of it would probably revolve around how you define system vs 
> > application files. 
> > 
>
> I define it by location, /etc, /usr/, etc. belongs to system, /app would 
> be application. 
>
> I tried something like that: 
>
>    <rule id="100002" level="15"> 
>      <if_matched_group>syscheck</if_matched_group> 
>           <match>/etc</match> 
>      <description>System object has changed!</description> 
>      <group>syscheck_system</group> 
>    </rule> 
>
>    <rule id="100002" level="15"> 
>      <if_matched_group>syscheck</if_matched_group> 
>        <match>/app</match> 
>      <description>App object has changed!</description> 
>     <group>syscheck_app1</group> 
>    </rule> 
>
>    <!-- alert for system events --> 
>    <email_alerts> 
>      <email_to>[email protected]</email_to> 
>      <group>syscheck_system</group> 
>      <do_not_delay /> 
>      <do_not_group /> 
>    </email_alerts> 
>
>    <!-- alert for syscheck events for application objects--> 
>    <email_alerts> 
>      <email_to>[email protected]</email_to> 
>      <group>syscheck_app1</group> 
>    </email_alerts> 
>
> But it doesn't seem to work, i don'get any alerts, hmmpf. 
>
> Regards. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to