Interesting, I changed an ACL which has maybe 75-100 existing entries but only added a single entry. I would expect it to show me that single addition unless it is trying to show me the difference of the entire ACL. So besides a notice something has changed I won't be able to tell what has actually changed which makes this a bit pointless unless I dump the config a number of times a day so I have files to diff via another program?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, May 12, 2015 1:22 PM To: [email protected] Subject: Re: [ossec-list] Agentless network diff not showing correct info On Tue, May 12, 2015 at 1:18 PM, Adam Whelan <[email protected]> wrote: > > Hi, > > I have the agentless working with my cisco switches. It appears to notice > that a change was made to an access control list but does not display the > change via the alert email or the alert log. Below is what I receive. I would > expect to see the new ACL entry that was added? Any thoughts? > > > > OSSEC HIDS Notification. > > 2015 May 12 13:13:31 > > > > Received From: (ssh_pixconfig_diff) user@sw-01->agentless > > Rule: 555 fired (level 7) -> "Integrity checksum for agentless device > changed." > > Portion of the log(s): > > > > ossec: agentless: Change detected: > > 17c17 > > < Current configuration : 20059 bytes > > --- > > > Current configuration : 20091 bytes > > 19c19 > > < ! Last configuration change at 13:39:31 EDT Mon May 11 2015 by user > > --- > > > ! Last configuration change at 13:12:37 EDT Tue May 12 2015 by user > > More changes.. > > > There's a limited amount of space for the configuration diff, apparently not enough for whatever change was made on your system. > Thank You > > > > > > > > --END OF NOTIFICATION > > > > > > _____________________________ > > Adam Whelan > > Senior Systems Analyst > > http://www.blueprintmedicines.com > > O: 617-714-6761 > > M: 508-364-2118 > > Skype: Adam.Whelan4 > > > > This email message may contain confidential and privileged information. If > you have received this message in error, please contact the sender by > replying to this email message and destroy all copies of the original message. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. This email message may contain confidential and privileged information. If you have received this message in error, please contact the sender by replying to this email message and destroy all copies of the original message. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
