I didn't try it with the "&& date > /tmp/time.stamp" part, but this
works (more info below):
Command:
<localfile>
<log_format>command</log_format>
<command>/bin/cat /tmp/test.log</command>
<frequency>60</frequency>
</localfile>
Decoder:
<decoder name="ossec-test-command">
<parent>ossec</parent>
<prematch offset="after_parent">Test</prematch>
<regex offset="after_parent">This (\.*)Test</regex>
<order>action</order>
</decoder>
Rule:
<!-- ossec: output: '/bin/cat /tmp/test.log': This is another Test. -->
<rule id="90082" level="0">
<decoded_as>ossec</decoded_as>
<match>Test</match>
<description>Ignore this for now.</description>
</rule>
<rule id="90083" level="7">
<if_sid>90082</if_sid>
<action>is a </action>
<description>OH-NO IT'S A is a!</description>
</rule>
I turned on the logall option (
http://www.ossec.net/doc/syntax/head_ossec_config.global.html#element-logall
) and this is what ended up in the archives.log:
2011 Nov 28 16:08:37 richese->/bin/cat /tmp/test.log ossec: output:
'/bin/cat /tmp/test.log': This is a test.
2011 Nov 28 16:08:37 richese->/bin/cat /tmp/test.log ossec: output:
'/bin/cat /tmp/test.log': This is a Test.
2011 Nov 28 16:08:37 richese->/bin/cat /tmp/test.log ossec: output:
'/bin/cat /tmp/test.log': This is another Test.
2011 Nov 28 16:08:37 richese->/bin/cat /tmp/test.log ossec: output:
'/bin/cat /tmp/test.log': This is a test with a lowercase 't'.
The beginning is an OSSEC specific header, so removing that we get:
ossec: output: '/bin/cat /tmp/test.log': This is a test.
ossec: output: '/bin/cat /tmp/test.log': This is a Test.
ossec: output: '/bin/cat /tmp/test.log': This is another Test.
ossec: output: '/bin/cat /tmp/test.log': This is a test with a lowercase 't'.
Feeding this through ossec-logtest gave me enough clues to piece the
configurations above together. You could make it even easier by adding
an alias to the localfile configuration(which isn't documented?). For
an alias of <alias>TESTEST</alias> I think the log would look like:
ossec: output: 'TESTEST': This is a test.
On Mon, Nov 28, 2011 at 3:54 PM, Joe Testa <[email protected]> wrote:
> On 11/28/2011 03:45 PM, dan (ddp) wrote:
>>
>>> <localfile>
>>> <location>/tmp/test.log</location>
>>> <log_format>command</log_format>
>>> <command>/bin/cat /tmp/test.log&& date> /tmp/time.stamp</command>
>>> </localfile>
>>>
>> Have you tried it without the "&& date> /tmp/time.stamp"?
>>
>
> Yes, I did try that first. It didn't work.
>
> - Joe
>
>
>
>
