OSSEC Series 3-file monitoring (SYSCHECK)

Source: Internet
Author: User
Tags ossec

How to save Host ids ossec log files to MYSQL
OSSEC Series II-write your own DECODE (Elementary)


OssecYou can check the file, including whether the file is modified and the modified content.(Normal means, sometimes)And file attributes.
For file monitoring, in the OSSEC. CONF file
<Ossec_config>
<Syscheck>
.... File monitoring content
</Syscheck>
</Ossec_config>
First, a simple configuration option is provided.

<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<alert_new_files>yes</alert_new_files>
<directories check_all="yes" realtime="yes" report_changes="yes">/103</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
</syscheck>
Introduction
<Frequency> the interval at which a scan is performed.
<Alert_new_files> whether to report that the new file is no by default. In addition, even if yes is set, it is not displayed because the default RULE alarm level created by the OSSEC file is 0, therefore, if you want to display the new file alarm, you also need to modify the RULE, or create a new RULE to overwrite the original RULE. See Appendix 1.
<directories check_all="yes" realtime="yes" report_changes="yes">
The monitored directory ossec monitors directories and files, but if realtime is used for monitoring, it must be a directory.
Check_all: checks all options including MD5, SH1, host, and so on.
Report_changes: report file changes.
<Ignore>: ignore files.
There is also an auto_ignore: usage method <auto_ignore> yes | or </auto_ignore> to prevent frequent file changes and generate alarms, if yes, no alarms will be generated three times by default, if the value is no, an alarm is triggered when the value changes. Currently, it seems that it can only take effect globally and cannot be applied to a single file or directory.
After the configuration is complete, restart OSSEC. # Service ossec restart
Appendix 1 file creation alert:
Create a rule. xml (included in ossec. conf) under the rules directory of the ossec installation directory (/var/ossec/rules) or directly edit local_rules.xml to add
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
2 references: http://www.ossec.net/doc/manual/syscheck/index.html
Source: http://www.usefulshare.com/lion/ossec3.html
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.