bookmark_borderImproved reporting for file changes (OSSEC)

One that that always annoyed me on OSSEC was that ossec-reported didnโ€™t list the file changes (from syscheck) and that I couldnโ€™t use the filtering options in there for them. Well, thatโ€™s solved now ๐Ÿ™‚

On the latest OSSEC snapshot you can use the โ€œfilenameโ€ option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
..
Top entries for โ€˜Filenamesโ€™:
โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
..
Top entries for โ€˜Filenamesโ€™:
โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

Related entries for โ€˜Locationโ€™:
โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”
web1->syscheck |1 |
    filename: โ€˜/etc/ossec-init.confโ€™
    filename: โ€˜/var/www/x/js.jsโ€™
    filename: โ€˜/var/www/x/index.phpโ€™
db1->syscheck
    filename: โ€˜/etc/ossec-init.confโ€™
obsd-fw->syscheck
    filename: โ€˜/etc/ossec-init.confโ€™

So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they donโ€™t get sent by email. Comments?