Yes, that's a much better approach.
On Fri, Nov 8, 2013 at 9:21 AM, Jared Greene <[email protected]>wrote: > I thought that These come in by default... > > OSSEC HIDS Notification. > 2013 Nov 05 15:05:13 > > Received From: ip-10-xx-x0-xx>/var/log/messages > Rule: 2932 fired (level 7) -> "New Yum package installed." > Portion of the log(s): > > Nov 5 15:05:13 ip-10-xx-xx-xx yum[13394]: Installed: > perl-Params-Validate-0.92-3.4.amzn1.x86_64 > > > Thank you, > > Jared R. Greene > (407) 414-4003 > > On Nov 8, 2013, at 12:02 PM, Santiago Bassett <[email protected]> > wrote: > > Hi Dung, > > If this is for a Linux server I guess you would probably need to monitor > the bin directories, using syscheck, for new files (/bin /sbin /usr/bin > ...), so you can discover if a new service is installed. > > As well, if you know exactly what new files you are looking for, you may > be able to create file system signatures, using rootcheck. You can find > examples at /var/ossec/etc/shared/ > > I hope it helps, > > Santiago. > > > > > On Fri, Nov 8, 2013 at 8:11 AM, Dũng Trần Văn <[email protected]>wrote: > >> but i don't know when the service is install on a Agent, what are the >> changes? >> >> *Example: *when The Teamviewer is install? *what is the change, and >> where is it stored *? >> >> Thanks for your helping so much. >> >> If I understand this correctly, OSSEC should be capable of these tasks. >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
