wolle604
commented
8 months ago Hey, I think you have misunderstood the functionality of syscheck/file integrity monitoring. Syscheck monitors the checksum of files and reports that something has changed. It doesn't tell you who changed something. To get the information you need, you have to combine different logs, e.g. syscheck alerts and an output of e.g. "last" linux command. This is something a SOC analyst would do.
Hello! Can you please tell me how to fix the error? I have file integrity control configured. A warning appears when the file is modified. But the warning does not include the computer name or IP address. Other alerts have an ip address. What do I need to change to make the ip address appear? Received from: ossec->syscheck Rule: 550 hits (level 7) -> "Integrity checksum changed".