util.sh¶

The util.sh shell script can add a file to be monitored by ossec-logcollector. It can also add a full_command to check for changes to a website, or for changes to the name server of a domain.

A blogpost from Daniel Cid (for 3WoO) introduced this utility.

util.sh argument options¶

addfile <filename> [<format>]¶: Add a file to be monitored by ossec-logtest. A localfile will be added to the ossec.conf.

addsite <domain>¶: Monitor a website for changes. A full_command will be added to the ossec.conf using lynx to dump the initial page. A rule can be written to monitor this output for changes.

Note

Requires lynx.

Warning

This may not be useful on pages with dynamic content.

adddns <domain>¶: Monitor the name server of a domain for changes. A full_command will be added to the ossec.conf using host

Note

Requites the host command.

util.sh example usage¶

Example: Running util.sh¶

Running the following command:

# /var/ossec/bin/util.sh adddns ossec.net

will add the following to that system’s ossec.conf:

<ossec_config>
   <localfile>
     <log_format>full_command</log_format>
     <command>host -W 5 -t NS ossec.net; host -W 5 -t A ossec.net | sort</command>
   </localfile>
 </ossec_config>