Hi Alex, I don't think PCI requires that. Can you point where it says that? In addition to that, I don't think there is any tool that can guarantee the integrity of a log file (specially via syslog)...
However, as soon as the log is written, ossec reads them and forwards to a remote system (the ossec server), where the event is stored/analyzed in a (hopefully) safer place. So, even if one system is hacked, the logs are still safe in the ossec server. In addition to that, as an extra precaution, the agent will alert if the size of a log file is reduced or the file is rotated during monitoring... An alert will look like: 2009 Feb 08 18:31:15 brrkey->ossec-logcollector Rule: 591 (level 3) -> 'Log file rotated.' ossec: File rotated (inode changed): '/var/log/messages'. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Jan 29, 2009 at 1:12 PM, Alex Alexiou <aalex...@targetsite.com> wrote: > Hi, > > > > I have been exploring ossec for use in a PCI environment. One of the > requirements that we've been given is file-integrity checking for log files, > which I'm not sure ossec can do; I'm assuming it does not put log files into > the default integrity-checking options because they change size by > definition. I did read about log file signing, but it appears that this > would only work with old logs. I tested this by altering the current > /var/log/secure log of a machine with the ossec agent, and it didn't seem to > notice anything in particular amiss. Anyone know if there's any way to do > this in ossec, or do I need to use a separate tool such as syslog-ng for > this?
