On Fri, Oct 15, 2010 at 2:35 PM, Hac Phan <[email protected]> wrote: > Hi, > > In the documentation: > http://www.ossec.net/doc/syntax/head_ossec_config.localfile.html > > There's an option called "localfile.command". However, it doesn't seem like > it's > very well documented. Can anyone clarify what the option is suppose to do? > > What I'm trying to do is filter /var/log/messages using a grep statement since > this one server's /var/log/messages have other servers' logs as well. > Naturally, > OSSEC detects the errors twice (one on the original server and one on this > server). I want to filter /var/log/messages before OSSEC goes through it > looking > for errors. > > Thanks in advance. > > -- > Hac Phan > Unix System Administrator > Network & Infrastructure, RSSP-IT > UC Berkeley >
If you don't want to monitor /var/log/messages you'll have to remove the configuration to look at that file. It'll be something like: <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> The following link explains the command monitoring: http://www.ossec.net/doc/manual/monitoring/process-monitoring.html?highlight=full_command Basically you setup the command like so: <localfile> <log_format>full_command</log_format> <command>SOME_COMMAND_HERE</command> </localfile> Now, every so often the <command> will be run on the host it is configured for (in the ossec.conf of that system, or a properly configured agent.conf), and the output read like it was a log file. You'll probably have to write rules for the output. There are a couple of default ones, but not many.
