On Mon, Feb 1, 2010 at 2:03 PM, Alisha Kloc <[email protected]> wrote: > Bump. > > If I use a command between the <command> tags which returns multi-line > results, such as a ps | grep mysql, will OSSEC process the results one > line at a time, or will it read all the lines as a single log entry? > > I have set up a command like this, but nothing's coming through to > OSSEC and now I'm trying to debug. My custom decoders and rules check > out with ossec_logtest, so presumably the problem is happening > sometime before the decoders get called. If OSSEC is reading all the > lines as a single log, that might explain it, but I can't figure out > how to test that as I don't have a way of reducing the command output > in question to one line at a time. (I also can't post log samples, > unfortunately, but like I said ossec_logtest checks out correctly.) > > Thanks! > >
Based on the manual's description of the feature (http://www.ossec.net/main/manual/manual-process-monitoring/), I'd guess that it handles each line independently. The example uses 'df -h,' which outputs multiple lines of output. The example rule uses matches and regexes that appear to look at each line of output separately. Could you describe what you are looking for? I know you can't post samples, but I'm having trouble coming up with an example to test that utilizes something like 'ps | grep mysql.' The only thing I've come up with is looking for a process not running, and I'm also having trouble thinking about how to do that at the moment. I blame a lack of coffee.
