So I've been trying to figure out how to get a custom attack detection script to play well with OSSEC AR. After some further testing, I noticed the following:
- I can manually echo an attack message to the file that the OSSEC agent is monitoring and analysisd appears to do it's job and report the attack on the server. - If I grep for the same attack message from a logtailed segment of a larger log, and output that to the file monitored by the OSSEC agent, no alerts show up. There are over 500 attack messages that come back when I grep for it as well. So they are definitely getting written to the file that the OSSEC agent is monitoring... I'm unclear as to why it would work when I manually inject the message into the file versus grepping for the same message and outputting that to the same file. Does it have anything to do with the way analysisd is reading the file?
