tripwire and log rotations

Liberty Young plug-discuss@lists.plug.phoenix.az.us
02 Jan 2003 16:59:56 -0700 

Scott, 

For what its worth, make sure you also you email (or store off-machine)
your logs on a scheduled basis. If you're logs ever do become messed
with, or if they are just deleted, you'll have a chance of your old logs
showing up interesting things (i.e. if an attacker did some
reconnaisance beforehand). 

On Thu, 2003-01-02 at 16:34, Scott H wrote:
> Well, yes, I can.  But I don't WANT to exclude
> these files.  I want them monitored.  I just dont
> want the weekly log rotations to trigger this. 
> 
> > From: george@georgetoft.com
> > You can specify which files to include/exclude
> > in your tripwire config file.
> > George
> > 
> > Quoting Scott H <scottlhenderson@yahoo.com>:
> > > So now that I'm an at-home Linux user that
> > has
> > > begun to use Linux at my company for servers
> > > (formerly all was MS), I'm faced with *NIX
> > admin
> > > issues that are all new to me.  Today's
> > example
> > > is: I have a RH7.3 server with tripwire
> > installed
> > > and a cron job that emails a tripwire report
> > to
> > > me daily.  Works great.  RH7.3 has a log
> > rotation
> > > system set up by default, and this works well
> > > too,  rotating the logs once per week.  But
> > of
> > > course, tripwire notices each week and
> > reports
> > > that the log files have been changed (I'm
> > > guessing it's the inode # that changes on
> > these?)
> > > and puts it in the report.  Now, I want to
> > know
> > > if a cracker messes with my log files, of
> > course,
> > > so I DO want tripwire to monitor these files.
> > 
> > > But I DON'T want tripwire to report on the
> > > routine, weekly log file rotation, causing me
> > to
> > > have to go in and do an update on the
> > tripwire
> > > db.  How do I fix this?
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss