Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-24 Thread Gurtaj Singh
use syscheck on those logs i suppose thats ur best bet On Thu, 2011-03-24 at 12:26 -0700, Lars Oberg wrote: > Hello, > > How can I configure ossec to alert me if somebody tampers with a log file? > > In other words, I do not want to get alerts anytime something is added > to the log, but I wa

Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-24 Thread Lars Oberg
I am new to OSSEC, but I do not see how to tell syscheck to only report when a log file is modified as opposed to added to. In other words, I am looking for a way to detect tampering with log files. Could you provide more details? Lars On 3/24/2011 12:54 PM, Gurtaj Singh wrote: use syscheck

Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-25 Thread Tanishk Lakhaani
k Lakhaani Sent from BlackBerry® on Airtel -Original Message- From: Lars Oberg Sender: ossec-list@googlegroups.com Date: Thu, 24 Mar 2011 13:57:05 To: Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Alerts on log file modified, but not if added to I am new to OSSEC, but I

Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-25 Thread Lars Oberg
I believe you're referring to this rule (# 592 in my case): 500 ^ossec: File size reduced Log file size reduced. attacks, I understand this correctly, I don't need to do anything – this rule is active by default! Thanks, Lars PS. Of course this rule only provides limited protection against

RE: [ossec-list] Alerts on log file modified, but not if added to

2011-03-28 Thread Nate Woodward
Have you tested whether this rule works? I can't get it to function correctly. > -Original Message- > From: Lars Oberg [mailto:larsoberg...@gmail.com] > Sent: Friday, March 25, 2011 8:12 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Alerts on lo

Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-28 Thread Lars Oberg
Lars Oberg [mailto:larsoberg...@gmail.com] Sent: Friday, March 25, 2011 8:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Alerts on log file modified, but not if added to I believe you're referring to this rule (# 592 in my case): 500 ^ossec: File size reduced Log file si

RE: [ossec-list] Alerts on log file modified, but not if added to

2011-03-28 Thread Nate Woodward
erg [mailto:larsoberg...@gmail.com] > Sent: Monday, March 28, 2011 10:59 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Alerts on log file modified, but > not if added to > > No, I have not yet tested it (dealing with another ossec > related issue at the mo

Re: [ossec-list] Alerts on log file modified, but not if added to

2011-03-28 Thread Lars Oberg
o function correctly. -Original Message- From: Lars Oberg [mailto:larsoberg...@gmail.com] Sent: Friday, March 25, 2011 8:12 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Alerts on log file modified, but not if added to I believe you're referring to this rule (# 592 in my

RE: [ossec-list] Alerts on log file modified, but not if added to

2011-03-28 Thread Michael Starks
On Mon, 28 Mar 2011 09:16:06 -0500, "Nate Woodward" wrote: Have you tested whether this rule works? I can't get it to function correctly. I have and it does work if you reduce the log size (e.g. delete some stuff). But if you replace content like 'Bob' with 'Rob' it won't fire. -- Michael S