Hi Alisha, Try to use full_command as the log format. It will treat the whole output as one ...
thanks, On Thu, Jul 28, 2011 at 5:22 PM, Alisha Kloc <[email protected]> wrote: > Hi list, > > My team is trying to use the check_diff feature to monitor logins via > wtmp, using OSSEC 2.4. We implemented the rule by copying what Daniel > Cid describes at > http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes, > and modifying with the appropriate command and parameters: > > <localfile> > <log_format>command</log_format> > <command>last -R</command> > </localfile> > > <rule id="140200" level="3"> > <if_sid>530</if_sid> > <match>ossec: output: 'last -R</match> > <check_diff /> > <description>Successful login.</description> > </rule> > > However, we get about 30 alerts every time the process monitor runs, > even if no one has logged in. It seems to read each line of the multi- > line output as an individual response, and alerts on each line because > it's not the same as the line before it. > > We want check_diff to process the entire output as a single unit, and > alert only if the whole unit is changed, i.e., if a new login is added > to the log. > > Both examples provided for the check_diff feature seem to imply it's > capable of handling multi-line output, so why isn't it working here? > > Thanks! > -Alisha Kloc
