Oh nevermind... I'm way off :)
Found more info on usage... http://www.ossec.net/dcid/?p=198 This is the example: <localfile> <log_format>full_command</log_format> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> </localfile> As far as the duplicate alerts, you'll probably need to do some work and create rules to 'ignore' in local_rules.xml or wherever... On Fri, Oct 15, 2010 at 11:49 AM, Jeremy Lee <[email protected]> wrote: > From the short description, "The command to run a all output will be read > as a log file.," it seems like you can now have OSSEC audit any commands > that are run in the shell? > > Can someone please clarify further? I am also interested to know exactly > what this does. > > > > > On Fri, Oct 15, 2010 at 11:35 AM, Hac Phan <[email protected]>wrote: > >> Hi, >> >> In the documentation: >> http://www.ossec.net/doc/syntax/head_ossec_config.localfile.html >> >> There's an option called "localfile.command". However, it doesn't seem >> like it's >> very well documented. Can anyone clarify what the option is suppose to do? >> >> What I'm trying to do is filter /var/log/messages using a grep statement >> since >> this one server's /var/log/messages have other servers' logs as well. >> Naturally, >> OSSEC detects the errors twice (one on the original server and one on this >> server). I want to filter /var/log/messages before OSSEC goes through it >> looking >> for errors. >> >> Thanks in advance. >> >> -- >> Hac Phan >> Unix System Administrator >> Network & Infrastructure, RSSP-IT >> UC Berkeley >> > >
