{"id":30,"date":"2011-05-26T23:16:00","date_gmt":"2011-05-26T23:16:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=30"},"modified":"2020-06-29T23:19:41","modified_gmt":"2020-06-29T23:19:41","slug":"improved-reporting-for-file-changes-ossec","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2011\/05\/improved-reporting-for-file-changes-ossec\/","title":{"rendered":"Improved reporting for file changes (OSSEC)"},"content":{"rendered":"\n<p>One that that always annoyed me on&nbsp;<a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;was that ossec-reported didn\u2019t list the file changes (from syscheck) and that I couldn\u2019t use the filtering options in there for them. Well, that\u2019s solved now \ud83d\ude42<\/p>\n\n\n\n<p>On the latest OSSEC snapshot you can use the \u201cfilename\u201d option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># zcat \/var\/ossec\/logs\/alerts\/2011\/May\/*.gz | \/var\/ossec\/bin\/ossec-reportd\n..\nTop entries for \u2018Filenames\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n\/etc\/ossec-init.conf |3 |\n\/var\/www\/x\/index.php |1 |\n\/var\/www\/x\/js.js |1 |<\/code><\/pre>\n\n\n\n<p>And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># zcat \/var\/ossec\/logs\/alerts\/2011\/May\/*.gz | \/var\/ossec\/bin\/ossec-reportd -f group syscheck -r location filename\n..\nTop entries for \u2018Filenames\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n\/etc\/ossec-init.conf |3 |\n\/var\/www\/x\/index.php |1 |\n\/var\/www\/x\/js.js |1 |\n\nRelated entries for \u2018Location\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nweb1->syscheck |1 |\n    filename: \u2018\/etc\/ossec-init.conf\u2019\n    filename: \u2018\/var\/www\/x\/js.js\u2019\n    filename: \u2018\/var\/www\/x\/index.php\u2019\ndb1->syscheck\n    filename: \u2018\/etc\/ossec-init.conf\u2019\nobsd-fw->syscheck\n    filename: \u2018\/etc\/ossec-init.conf\u2019<\/code><\/pre>\n\n\n\n<p>So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don\u2019t get sent by email. Comments?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One that that always annoyed me on&nbsp;OSSEC&nbsp;was that ossec-reported didn\u2019t list the file changes (from syscheck) and that I couldn\u2019t use the filtering options in there for them. Well, that\u2019s solved now \ud83d\ude42 On the latest OSSEC snapshot you can use the \u201cfilename\u201d option to filter and correlate values. For example, if I run the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/30"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":31,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/30\/revisions\/31"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}