Thanks, Kevin.<div><br></div><div>You do raise a valid point about knowing what is changing in the general updates vs what is un-authorized and knowing the difference. My, possibly naive, thought is that I could batch updates/patches and make the assumption the changes are due to that process, but there is that chance something changes in that period as well..... If nothing else, changes at 2am or off hours would hopefully raise an alarm to be investigated.</div> <div><br></div><div>I'll take a look at Tripwire in more depth (I glanced at it briefly and wasn't sure if it was too involved for what I was looking for or not) as well as open-audit.</div><div><br>Thanks.</div><div> Ken<br><br><div class="gmail_quote">On Wed, Apr 15, 2009 at 8:45 AM, Kevin Keane <span dir="ltr"><<a href="mailto:subscription@kkeane.com">subscription@kkeane.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> I am not using Nagios for that purpose, but rather Open-Audit. I believe<br> there is a way to have changes in OA propagate to Nagios.<br> <br> Another tool you may want to look into is tripwire; it generates exactly<br> the logs based on changes that you were looking for. Then use the<br> check_log plugin to monitor the tripwire log file.<br> <br> The biggest concern with this type of tool that I would have is that<br> monitoring OS changes is very labor-intensive. For me, to the point of<br> impracticality. The problem is the sheer volume of patches that come out<br> on a regular basis makes it all but impossible to keep up with. You'd<br> have to look at every single patch and find out which files it changes<br> before you have a way of knowing whether a particular tripwire alert is<br> legitimate or not.<br> <div><div></div><div class="h5"><br> Ken Netzorg wrote:<br> > Is anyone leveraging Nagios for notification of changes done to<br> > operating systems?<br> ><br> > I am looking to deploy a solution that monitors OS changes and<br> > generates alerts when a configuration or file change is made. Is<br> > anyone doing this type of thing through a Nagios plug-in? My goal<br> > would be to know when an OS is being changed and be able to correlate<br> > that to a scheduled change or potential compromise of the OS that<br> > needs to be further investigated. (Something more holistic than basic<br> > log monitoring unless there is a service that generates logs based on<br> > changes that will then be captured by a log review.)<br> ><br> > The monitoring would be done on both Windows and Linux platforms.<br> ><br> > Thanks,<br> > Ken<br> <br> </div></div>--<br> Kevin Keane<br> Owner<br> The NetTech<br> Find the Uncommon: Expert Solutions for a Network You Never Have to Think About<br> <br> Office: 866-642-7116<br> <a href="http://www.4nettech.com" target="_blank">http://www.4nettech.com</a><br> <br> This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.<br> <br> <br> ------------------------------------------------------------------------------<br> This SF.net email is sponsored by:<br> High Quality Requirements in a Collaborative Environment.<br> Download a free trial of Rational Requirements Composer Now!<br> <a href="http://p.sf.net/sfu/www-ibm-com" target="_blank">http://p.sf.net/sfu/www-ibm-com</a><br> _______________________________________________<br> Nagios-users mailing list<br> <a href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/nagios-users</a><br> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.<br> ::: Messages without supporting info will risk being sent to /dev/null<br> </blockquote></div><br></div>