It just doesn't work for me. If I open a log file with nano (NOT vim, as it changes the inode of the file) and remove a few lines, OSSEC doesn't notify me about it.
I haven't had the time to look into it much further than that. > -----Original Message----- > From: Lars Oberg [mailto:larsoberg...@gmail.com] > Sent: Monday, March 28, 2011 10:59 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Alerts on log file modified, but > not if added to > > No, I have not yet tested it (dealing with another ossec > related issue at the moment). What problem are you coming across? > > Lars > > On 3/28/2011 7:16 AM, Nate Woodward wrote: > > Have you tested whether this rule works? I can't get it to function > > correctly. > > > >> -----Original Message----- > >> From: Lars Oberg [mailto:larsoberg...@gmail.com] > >> Sent: Friday, March 25, 2011 8:12 PM > >> To: ossec-list@googlegroups.com > >> Subject: Re: [ossec-list] Alerts on log file modified, but not if > >> added to > >> > >> I believe you're referring to this rule (# 592 in my case): > >> > >> <rule id="592" level="8"> > >> <if_sid>500</if_sid> > >> <match>^ossec: File size reduced</match> <description>Log > file size > >> reduced.</description> <group>attacks,</group> </rule> > >> > >> I understand this correctly, I don't need to do anything > this rule is > >> active by default! > >> > >> Thanks, > >> Lars > >> > >> PS. Of course this rule only provides limited protection against > >> tampering, since a smart hacker could easily make sure the file is > >> longer after he is done tampering with it. > >> > >> On 3/25/2011 2:55 PM, Tanishk Lakhaani wrote: > >>> ion of logs from the log file, an alert, with alert I'd > 510 created > >>> woith the heading -- "Log File Size Reduced". And adding if > >> any logs > >>> is the same as modifying the logs...just put this log file > >> ubder the > >>> syscheck part in the ossec agent.conf > >>> > >>> > >> > >> > > >
