You can probably do that using Rootcheck rules.
For example, to alert if "Server: 1.2.3.4" line has been modified, you could use a rule like this: [Memory configuration check - Server different than 1.2.3.4] [any] f:/etc/memory.cfg -> !r:^# && r:^Server && !r::1.2.3.4; You would need to create rules for those lines you want to monitor. I hope that helps, Santiago. On Mon, Dec 21, 2015 at 4:49 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Fri, Dec 18, 2015 at 8:36 AM, Nishant Porwal > <porwal.nish...@gmail.com> wrote: > > Hi Santiago/Dan, > > > > Thanks for the inputs ,i am able to track the changes. > > One more suggestion is needed , > > > > I want to track the file changes and need to alert only on specific > changes > > . > > Example : - > > > > File : - memory.cfg > > > > Content : - > > > > ************************************************* > > > > Server : 1.2.3.4 > > Port : 8080,80,9090,28443,23 > > Services : Telnet,SSH, FTPD, > > log_alert : Yes > > log_memory : Yes > > log_system : Yes > > log_application : Yes > > log_tomcat : Yes > > > > ************************************************* > > > > Reuirement is : - > > > > If any changes have been done in parameters Server ,Port ,Services > > ,log_tomcat notify to certain email , else if log_alert ,log_memory , > > log_application ,log_system have been changed don't notify . > > > > I don't know of a way to watch for changes in certain parts of a a file. > > > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett > > <santiago.bass...@gmail.com> wrote: > >> > >> More comments: > >> > >> 1.When file have been changed ? > >> Use realtime option (kernel needs to support inotify, most recent ones > do) > >> > >> 2.Who have changed it ? > >> No easy way to do this. I would use Audit tools and parse their output > >> with an OSSEC decoder/rules (I think those would need to be created). > >> > >> 3.What have been changed ? > >> > >> As Dan mentioned, report_changes. Only works on text files (doesn't make > >> sense for binaries). > >> > >> 4.Notify on certain changes . > >> > >> What do you mean? Permission changes, ownership changes are reported by > >> syscheck too. > >> > >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp) <ddp...@gmail.com> wrote: > >>> > >>> > >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" <porwal.nish...@gmail.com> > >>> wrote: > >>> > > >>> > Hi Guys , > >>> > > >>> > I need to monitor approx 50 config and flat files on 20 servers , > means > >>> > 1000 files . > >>> > > >>> > My requirement is below . > >>> > > >>> > 1.When file have been changed ? > >>> > 2.Who have changed it ? > >>> > >>> No one has come up with a way to do this through syscheck yet. > >>> > >>> > 3.What have been changed ? > >>> > 4.Notify on certain changes . > >>> > > >>> > Most important part id "What have been changed " > >>> > > >>> > >>> Report_changes I think is the option you want. > >>> > >>> > All are linux servers . > >>> > > >>> > OSSEC can help here ? > >>> > I couldn't find anything in documentation specifying about "what have > >>> > beeen changed " . > >>> > > >>> > > >>> > Thanks > >>> > Nishant > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an email to ossec-list+unsubscr...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+unsubscr...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > -- > > Thanks n Regards > > Nishant Porwal > > 09527916969 > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
