Thanks! I was fairly sure that each line of output gets handled individually, but it doesn't actually say anywhere and I wanted to make sure that was the case before trying any further debugging, to avoid wasted effort.
We're not actually using ps | grep mysql - that was just my original basic metaphor, and I've been reusing it for simplicity (old writing habits, sorry!) and because I can post examples of that command. What we are actually looking for is a way to monitor Solaris audit logs with OSSEC. Since our versions of Solaris can't write logs directly to text files, our original plan was to set up cron jobs to manually run the series of commands which translates the binary audit trail to text and saves it to a syslog, and then point OSSEC to the syslog with custom decoders/rules. But this solution is impractical for a number of reasons, most of which would be alleviated if we could output the command string results directly to OSSEC. The general format of the trail is one audit record per line, like a syslog. Ossec.conf has <command>praudit -l our.audit.trail ; audit -n</ command> which reads the audit trail, translates it to text, then rotates the audit trail so the same events aren't read multiple times. But nothing from the audit trail shows up in the manager (other events do as normal). The command appears to be read and performed correctly since the audit trail is getting rotated on schedule, and the decoder and rules I've written match individual audit records correctly in logtest, so I don't think that's the problem. But other than those two checks, I'm hard-pressed to further isolate the cause, so I'm trying to eliminate some of the really obvious possibilities before getting into the complex details... On Feb 2, 7:33 am, "dan (ddp)" <[email protected]> wrote: > > Based on the manual's description of the feature > (http://www.ossec.net/main/manual/manual-process-monitoring/), I'd > guess that it handles each line independently. The example uses > 'df -h,' which outputs multiple lines of output. The example rule uses > matches and regexes that appear to look at each line of output > separately. > Could you describe what you are looking for? I know you can't post > samples, but I'm having trouble coming up with an example to test > that utilizes something like 'ps | grep mysql.' The only thing I've > come up with is looking for a process not running, and I'm also > having trouble thinking about how to do that at the moment. I blame > a lack of coffee.
