Yes, exactly :)
On Fri, Jul 29, 2011 at 1:10 PM, Alisha Kloc <[email protected]> wrote: > Ah, I'll try that. > > I thought "command" versus "full_command" was just a syntactical > difference between 2.4 and 2.5; I didn't know it had further meaning. > > So just to be clear, using <log_format>command</log_format> makes > OSSEC read each line of output individually, and using > <log_format>full_command</log_format> makes OSSEC treat multiple lines > as one unit? > > Thanks! > -Alisha > > > On Jul 28, 2:21 pm, Daniel Cid <[email protected]> wrote: >> Hi Alisha, >> >> Try to use full_command as the log format. It will treat the whole >> output as one ... >> >> thanks, >> >> >> >> >> >> >> >> On Thu, Jul 28, 2011 at 5:22 PM, Alisha Kloc <[email protected]> >> wrote: >> > Hi list, >> >> > My team is trying to use the check_diff feature to monitor logins via >> > wtmp, using OSSEC 2.4. We implemented the rule by copying what Daniel >> > Cid describes >> > athttp://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-cha..., >> > and modifying with the appropriate command and parameters: >> >> > <localfile> >> > <log_format>command</log_format> >> > <command>last -R</command> >> > </localfile> >> >> > <rule id="140200" level="3"> >> > <if_sid>530</if_sid> >> > <match>ossec: output: 'last -R</match> >> > <check_diff /> >> > <description>Successful login.</description> >> > </rule> >> >> > However, we get about 30 alerts every time the process monitor runs, >> > even if no one has logged in. It seems to read each line of the multi- >> > line output as an individual response, and alerts on each line because >> > it's not the same as the line before it. >> >> > We want check_diff to process the entire output as a single unit, and >> > alert only if the whole unit is changed, i.e., if a new login is added >> > to the log. >> >> > Both examples provided for the check_diff feature seem to imply it's >> > capable of handling multi-line output, so why isn't it working here? >> >> > Thanks! >> > -Alisha Kloc
