Hello Team,
OSSEC is not reporting the file content changes thru email even though it
is configured to do so.
I can see the changes made in the diff directory but not in the alerts.log.
Could you please help me to fix this issue. Let me know if you need any
other details.
OSSEC.CONF
<!-- Directories to check (perform all possible verifications) -->
<directories report_changes="yes" realtime="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes"
check_all="yes">/bin,/sbin</directories>
diff directory
-rw-r--r-- 1 root root 22 May 2 08:24 diff.1525249477
-rw-r--r-- 1 root root 1427 May 3 07:33 last-entry
-rw-r--r-- 1 root root 60 May 3 07:33 diff.1525332798
alerts.log
# grep fstab alerts.log
Integrity checksum changed for: '/etc/fstab'
Integrity checksum changed for: '/etc/fstab'
# grep -A5 556 ossec_rules.xml
<rule id="556" level="11">
<if_sid>500</if_sid>
<match>^ossec: What changed: </match>
<description>File content changed.</description>
<group>syscheck,</group>
</rule>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>11</email_alert_level>
</alerts>
--
Regards,
Vibin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
