On Wed, Feb 23, 2011 at 2:29 PM, jplee3 <[email protected]> wrote: > So I've been trying to figure out how to get a custom attack detection > script to play well with OSSEC AR. After some further testing, I > noticed the following: > > - I can manually echo an attack message to the file that the OSSEC > agent is monitoring and analysisd appears to do it's job and report > the attack on the server. > > - If I grep for the same attack message from a logtailed segment of a > larger log, and output that to the file monitored by the OSSEC agent, > no alerts show up. >
It may be the headache, but I don't understand what you're doing. Something like: tail -f file | grep 'We are under attack!' >> /var/log/messages ? > There are over 500 attack messages that come back when I grep for it > as well. So they are definitely getting written to the file that the > OSSEC agent is monitoring... I'm unclear as to why it would work when > I manually inject the message into the file versus grepping for the > same message and outputting that to the same file. > > Does it have anything to do with the way analysisd is reading the > file? Do the messages get sent to the manager? (use <logall> to find out)
