Yeah, I found that info on google a few weeks back and re-tested with nano. Still didn't get an alert on the rule.
> -----Original Message----- > From: dan (ddp) [mailto:ddp...@gmail.com] > Sent: Monday, March 28, 2011 2:22 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Deletion of log data > > vim typically saves the file to a new inode. In this instance > OSSEC generally detects that the log file was rotated, and > may re-check all of the log messages in the log file. > > On Fri, Mar 4, 2011 at 11:08 AM, Nate Woodward > <nate.woodw...@the-connection.com> wrote: > > Hi, > > > > I'm trying to get OSSEC to detect data deletion in log > files. The page > > at http://www.ossec.net/doc/manual/monitoring/index.html indicates > > that log monitoring is done in real time, and ossec_rules.xml has > > these > > rules: > > > > > > <!-- File rotation/reducded rules --> > > <rule id="591" level="3"> > > <if_sid>500</if_sid> > > <match>^ossec: File rotated </match> > > <description>Log file rotated.</description> > > </rule> > > > > <rule id="592" level="8"> > > <if_sid>500</if_sid> > > <match>^ossec: File size reduced</match> > > <description>Log file size reduced.</description> > > <group>attacks,</group> > > </rule> > > > > <rule id="593" level="9"> > > <if_sid>500</if_sid> > > <match>^ossec: Event log cleared</match> > > <description>Microsoft Event log cleared.</description> > > <group>logs_cleared,</group> > > </rule> > > > > > > When I open up a log file in vim, delete a few lines and > save it, rule > > 592 doesn't trigger. Am I doing something wrong? Does real-time log > > monitoring include the rules above, or do those rules only trigger > > when syscheck is run (at which time the log would have grown bigger > > than what it was before, despite my deletions)? > > > > How can I ensure log file integrity? > > > > -Nate > > > >
