Hi list,
My team is trying to use the check_diff feature to monitor logins via
wtmp, using OSSEC 2.4. We implemented the rule by copying what Daniel
Cid describes at
http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes,
and modifying with the appropriate command and parameters:
<localfile>
<log_format>command</log_format>
<command>last -R</command>
</localfile>
<rule id="140200" level="3">
<if_sid>530</if_sid>
<match>ossec: output: 'last -R</match>
<check_diff />
<description>Successful login.</description>
</rule>
However, we get about 30 alerts every time the process monitor runs,
even if no one has logged in. It seems to read each line of the multi-
line output as an individual response, and alerts on each line because
it's not the same as the line before it.
We want check_diff to process the entire output as a single unit, and
alert only if the whole unit is changed, i.e., if a new login is added
to the log.
Both examples provided for the check_diff feature seem to imply it's
capable of handling multi-line output, so why isn't it working here?
Thanks!
-Alisha Kloc
