I know what you're saying, and I thought the check_diff option did that. My mistake. If not, I don't think there's a way to do it.
On Fri, Apr 22, 2011 at 4:53 PM, satish patel <[email protected]> wrote: > Thanks Dan, > > I have that option, And its working but problem is its dumping full > iptables -L -n output on my email alerts. I want only diff output of > particular changes in iptables. Do you know what i am saying ? > > <!-- Monitoring firewall rules --> > <rule id="100004" level="10"> > <if_sid>530</if_sid> > <match>ossec: output: 'iptables -S</match> > <check_diff /> > <description>Change made to iptables</description> > </rule> > > > > > On Fri, Apr 22, 2011 at 4:35 PM, dan (ddp) <[email protected]> wrote: >> It should be possible. Try adding <check_diff /> to the rule. >> >> More info: >> http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >> >> On Fri, Apr 22, 2011 at 4:28 PM, satish patel <[email protected]> wrote: >>> Thanks dan, >>> >>> Is it possible i get diff output of my iptables command? Currently its >>> dumping full output. it would be good if we have only diff output. >>> >>> -S >>> >>> >>> On Fri, Apr 22, 2011 at 4:11 PM, dan (ddp) <[email protected]> wrote: >>>> There is no setting to do what you want. You'll have to dig into the >>>> source. >>>> >>>> On Fri, Apr 22, 2011 at 3:46 PM, satish patel <[email protected]> wrote: >>>>> Hey Guys! >>>>> >>>>> I am monitoring iptable output and doing check_diff to compare and >>>>> alert but somehow i am getting half output of "iptables -L -n" I knew >>>>> there is a limit of email alert output. >>>>> >>>>> can we increase limit ? >>>>> >>>>> -S >>>>> >>>> >>> >> >
