I'm using ossec configuration on a web-server matching which is hosting a very critical application for my organization. I want to know how can i use ossec to monitor changes to the system?
I'm new to ossec use, but common sense says if I'm monitoring each and every file (e.g hosts, netstat ouput). In such a case does the ossec provide best practice (top 10 list of things to watch) on targeted server guide to help someone like me.
Thanks.
What you seem interested in is the integrity checking feature of OSSEC. You can start by taking a look at the documentation of that feature in http://www.ossec.net/doc/manual/syscheck/index.html. It has some examples and a FAQ section at the end.
Nonetheless, OSSEC most powerful feature is log aggregation and analysis, besides checking file integrity you could keep an eye on the logs of the web server to look for possible errors. You should also consider running an OSSEC agent on the server and put the OSSEC server somewhere else. There are too many consideration to explain briefly in a post, if you are really interested I would recommend you get your hand on this book OSSEC Host-Based Intrusion Detection Guide, it's not too long and it's quite detailed.
