Ah, I'll try that. I thought "command" versus "full_command" was just a syntactical difference between 2.4 and 2.5; I didn't know it had further meaning.
So just to be clear, using <log_format>command</log_format> makes OSSEC read each line of output individually, and using <log_format>full_command</log_format> makes OSSEC treat multiple lines as one unit? Thanks! -Alisha On Jul 28, 2:21 pm, Daniel Cid <[email protected]> wrote: > Hi Alisha, > > Try to use full_command as the log format. It will treat the whole > output as one ... > > thanks, > > > > > > > > On Thu, Jul 28, 2011 at 5:22 PM, Alisha Kloc <[email protected]> wrote: > > Hi list, > > > My team is trying to use the check_diff feature to monitor logins via > > wtmp, using OSSEC 2.4. We implemented the rule by copying what Daniel > > Cid describes > > athttp://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-cha..., > > and modifying with the appropriate command and parameters: > > > <localfile> > > <log_format>command</log_format> > > <command>last -R</command> > > </localfile> > > > <rule id="140200" level="3"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'last -R</match> > > <check_diff /> > > <description>Successful login.</description> > > </rule> > > > However, we get about 30 alerts every time the process monitor runs, > > even if no one has logged in. It seems to read each line of the multi- > > line output as an individual response, and alerts on each line because > > it's not the same as the line before it. > > > We want check_diff to process the entire output as a single unit, and > > alert only if the whole unit is changed, i.e., if a new login is added > > to the log. > > > Both examples provided for the check_diff feature seem to imply it's > > capable of handling multi-line output, so why isn't it working here? > > > Thanks! > > -Alisha Kloc
