OSSEC-HIDS in linux
I installed ossec-hids on my server with ubunty10.0. Then i tried towrite
to it log, when i use
sudo ntpdate 0.ru.pool.ntp.org
I added decoder in decoder.xml like
<decoder name="Linux sudo">
<prematch>sudo</prematch>
</decoder>
I created file my_incidents.xml, include it in ossec.conf and add to it:
<group name="Incidents">
<rule id="100001" level="0" noalert="1">
<decoded_as>Linux sudo</decoded_as>
<description>Linux sudo messages grouped</description>
</rule>
<rule id="100002" level="14">
<if_sid>100001</if_sid>
<match>ntpdate</match>
<description>watching for ntpdate</description>
</rule>
</group>
But it doesn't work. What i do wrong?
No comments:
Post a Comment