> -----Original Message----- > From: gutsy gibbon [mailto:gibbongutsy...@gmail.com] > Sent: Monday, March 07, 2011 12:52 PM > To: ossec-list > Subject: [ossec-list] Re: Deletion of log data > > what log file did u open with vim...make sure that the log > file u open is included in the ossec.conf file and just to
I made sure I was modifying a logfile that is being monitored. > make sure the rule works reduce the 6 hr syscheck thing...get > it to run right after u edit the file.. I'll give this a try, but assuming the rule does work (it's one of the rules that ships with OSSEC, after all), how do I make sure log tampering will be detected no matter what? The OSSEC book says the time between syschecks has a minimum frequency of an hour, and I can't exactly ask crackers to only tamper with my logs X minutes after the top of the hour. > > On Mar 6, 10:54 am, "Tanishk Lakhaani" <tanishk2...@gmail.com> wrote: > > I think it checks for the same only at the time of running > syscheck, bcoz at that time it tries to compare it with the > database it has already made during pre-scan mode. > > > > Regards > > Tanishk Lakhaani > > Sent from BlackBerry® on Airtel > > > > -----Original Message----- > > From: "Nate Woodward" <nate.woodw...@the-connection.com> > > > > Sender: ossec-list@googlegroups.com > > Date: Fri, 4 Mar 2011 10:08:51 > > To: ossec-list<ossec-list@googlegroups.com> > > Reply-To: ossec-list@googlegroups.com > > Subject: [ossec-list] Deletion of log data > > > > Hi, > > > > I'm trying to get OSSEC to detect data deletion in log > files. The page > > > athttp://www.ossec.net/doc/manual/monitoring/index.htmlindicates that > > log monitoring is done in real time, and ossec_rules.xml has these > > rules: > > > > <!-- File rotation/reducded rules --> > > <rule id="591" level="3"> > > <if_sid>500</if_sid> > > <match>^ossec: File rotated </match> > > <description>Log file rotated.</description> > > </rule> > > > > <rule id="592" level="8"> > > <if_sid>500</if_sid> > > <match>^ossec: File size reduced</match> > > <description>Log file size reduced.</description> > > <group>attacks,</group> > > </rule> > > > > <rule id="593" level="9"> > > <if_sid>500</if_sid> > > <match>^ossec: Event log cleared</match> > > <description>Microsoft Event log cleared.</description> > > <group>logs_cleared,</group> > > </rule> > > > > When I open up a log file in vim, delete a few lines and > save it, rule > > 592 doesn't trigger. Am I doing something wrong? Does real-time log > > monitoring include the rules above, or do those rules only trigger > > when syscheck is run (at which time the log would have grown bigger > > than what it was before, despite my deletions)? > > > > How can I ensure log file integrity? > > > > -Nate > >
