Thanks Dan... Basically, I'm having OSSEC monitor logtailed output of a larger file (the logtailed output is written to a file that I'm having OSSEC monitor). The reason I'm doing this is because the larger file is so large and grows so fast that OSSEC would end up using up a significant amount of cycles just trying to keep up analyzing it. My only other options are A) send the logs via syslog (or some other mechanism) to the OSSEC server or B) Have the OSSEC agent monitor a condensed version of the log. The catch is that I want active response to fire off when the "We're under attack" message exceeds X times, and that does not work with option A (I had started another discussion on this previously). So that leaves me with option B, which I still have yet to fully work :)
For some reason, using the write/append (>,>>) redirects doesn't seem to cause alerts to trigger. I'll look into turning logall on at some point but I just tried using tee to tee the output to the condensed log and the alerts showed up on the OSSEC server!: 'grep "We are under attack" | tee /var/log/messages > /dev/null' On a separate note, I still need to figure out the AR portion as it didn't fire. On Wed, Feb 23, 2011 at 11:35 AM, dan (ddp) <[email protected]> wrote: > On Wed, Feb 23, 2011 at 2:29 PM, jplee3 <[email protected]> wrote: > > So I've been trying to figure out how to get a custom attack detection > > script to play well with OSSEC AR. After some further testing, I > > noticed the following: > > > > - I can manually echo an attack message to the file that the OSSEC > > agent is monitoring and analysisd appears to do it's job and report > > the attack on the server. > > > > - If I grep for the same attack message from a logtailed segment of a > > larger log, and output that to the file monitored by the OSSEC agent, > > no alerts show up. > > > > It may be the headache, but I don't understand what you're doing. > Something like: > tail -f file | grep 'We are under attack!' >> /var/log/messages > ? > > > There are over 500 attack messages that come back when I grep for it > > as well. So they are definitely getting written to the file that the > > OSSEC agent is monitoring... I'm unclear as to why it would work when > > I manually inject the message into the file versus grepping for the > > same message and outputting that to the same file. > > > > Does it have anything to do with the way analysisd is reading the > > file? > > Do the messages get sent to the manager? (use <logall> to find out) >
