Bump. If I use a command between the <command> tags which returns multi-line results, such as a ps | grep mysql, will OSSEC process the results one line at a time, or will it read all the lines as a single log entry?
I have set up a command like this, but nothing's coming through to OSSEC and now I'm trying to debug. My custom decoders and rules check out with ossec_logtest, so presumably the problem is happening sometime before the decoders get called. If OSSEC is reading all the lines as a single log, that might explain it, but I can't figure out how to test that as I don't have a way of reducing the command output in question to one line at a time. (I also can't post log samples, unfortunately, but like I said ossec_logtest checks out correctly.) Thanks! On Jan 20, 9:53 am, Alisha Kloc <[email protected]> wrote: > Hi Daniel, > > I have one more quick question about howprocessmonitoringworks, if > you don't mind: How will OSSECprocesscommands that return multi-line > output? To use my previous example, if ps aux | grep mysql returns the > following lines: > > root 5481 0.0 0.0 4540 1288 ? S 17:25 0:00 /bin/ > sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/ > mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/ > mysqld/mysqld.pid > mysql 5541 0.3 1.2 136776 18016 ? Sl 17:25 0:02 /usr/ > libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql -- > pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/ > var/lib/mysql/mysql.sock > root 7793 0.0 0.0 3924 668 pts/1 R+ 17:38 0:00 grep > mysql > > will OSSEC treat that as a single line, or will it understand the > three lines are separate and apply decoders/rules accordingly? > > Thanks! > -Alisha
