On 08/01/2011 05:55 PM, Alisha Kloc wrote:
Unfortunately, we can't make any changes to the HP-UX system, which means no cron jobs, no clearing logs, etc. All we're allowed to touch is OSSEC agent stuff. Within that, I have some flexibility if I use the process monitor to call a simple shell script, which allows consecutive commands like you suggested, but anything beyond that isn't allowed.
How about something like 'command-to-read btmp' && 'cat /dev/null > /path/to/btmp_file' in the ossec command. I don't know if the system wouldn't like that and there is the unfortunate consequence of not having the logs locally, but it seems like it would give you only new entries, which you could then do the check_diff on. Run this every minute or so and it would be semi-real time.
-Mike
