Actually, you can "hack" your way with the rules to make it work. Basically, if you have a log that is supposed to be generated everyday around 11:59pm, the following example can check for it:
<rule id="xyz" level="2"> <time>11:55 pm - 00:05 am</time> <regex>^log to check cron</regex> <description>Cron script ran.</description> </rule> Now you can write another rule using if_matched_sid or if_matched_regex to see if this rule was fired or not after that time.... *I still prefer the idea of having good "cron" scripts that will log failure or success at the end, so you know exactly what happened. Hope it helps -- Daniel B. Cid dcid ( at ) ossec.net On 2/5/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
I think that the feature that you are asking for is not supported, buuuuut, you can modify the scritp that you are running with cron to log a line, with logger, when it starts, so, then with ossec you can correlate that entry with the finished one.... CHeers! Nico On Mon, 2007-02-05 at 10:28 -0500, Mark Haney wrote: > Is it possible for me to set a rule up to trigger if a particular log > entry was NOT logged inside a time frame? > > I want to test for the starting and stopping of a cron job. I have all > the rules in place for all the log entries it will generate, but I want > to be able to test to for the lack of a 'finished' log entry between say > midnight to 11:59pm. Is this possible? Or is there a work around to > make it possible? > >
