Yes, exactly :)

On Fri, Jul 29, 2011 at 1:10 PM, Alisha Kloc <[email protected]> wrote:
> Ah, I'll try that.
>
> I thought "command" versus "full_command" was just a syntactical
> difference between 2.4 and 2.5; I didn't know it had further meaning.
>
> So just to be clear, using <log_format>command</log_format> makes
> OSSEC read each line of output individually, and using
> <log_format>full_command</log_format> makes OSSEC treat multiple lines
> as one unit?
>
> Thanks!
> -Alisha
>
>
> On Jul 28, 2:21 pm, Daniel Cid <[email protected]> wrote:
>> Hi Alisha,
>>
>> Try to use full_command as the log format. It will treat the whole
>> output as one ...
>>
>> thanks,
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 28, 2011 at 5:22 PM, Alisha Kloc <[email protected]> 
>> wrote:
>> > Hi list,
>>
>> > My team is trying to use the check_diff feature to monitor logins via
>> > wtmp, using OSSEC 2.4. We implemented the rule by copying what Daniel
>> > Cid describes 
>> > athttp://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-cha...,
>> > and modifying with the appropriate command and parameters:
>>
>> >  <localfile>
>> >    <log_format>command</log_format>
>> >    <command>last -R</command>
>> >  </localfile>
>>
>> >  <rule id="140200" level="3">
>> >    <if_sid>530</if_sid>
>> >    <match>ossec: output: 'last -R</match>
>> >    <check_diff />
>> >    <description>Successful login.</description>
>> >  </rule>
>>
>> > However, we get about 30 alerts every time the process monitor runs,
>> > even if no one has logged in. It seems to read each line of the multi-
>> > line output as an individual response, and alerts on each line because
>> > it's not the same as the line before it.
>>
>> > We want check_diff to process the entire output as a single unit, and
>> > alert only if the whole unit is changed, i.e., if a new login is added
>> > to the log.
>>
>> > Both examples provided for the check_diff feature seem to imply it's
>> > capable of handling multi-line output, so why isn't it working here?
>>
>> > Thanks!
>> > -Alisha Kloc

Reply via email to