Hello Dan, I do not know if that space was the only problem but with it gone and the alias in single quotation marks,it did the trick .
While searching for the proper syntax I have seen it written with various ways like <match>ossec: output: 'find-dots2 </match> (single quotation mark) <match>ossec: output: 'find-dots2': </match> (two single quotation marks before and after with colon) double quotation marks , space after etc etc etc ..... This is what works <match>ossec: output: 'find-dots2'</match> Thank you On Dec 5, 10:54 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Dec 1, 2011 at 6:42 PM, alsdks <[email protected]> wrote: > > Hi list , > > > I have been trying to set up a command to detect files starting with > > dot or double dot (. ..) But whatever I do I do not get an alert for > > it .Here is my configuration : > > > command at agent's ossec.conf: > > > <localfile> > > <log_format>full_command</log_format> > > <command>find /test -name '.*'</command> > > <alias>find-dots2</alias> > > <frequency>300</frequency> > > </localfile> > > > rule specification at server local_rules.xml > > > <rule id="100108" level="10"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'find-dots2' </match> > > I haven't been able to get it to work just yet, but did notice that > you have a space between 'find-dots2' and </match>. > It works with logtest, just haven't seen an alert in "production." > > > > > > > > > <check_diff /> > > <description> Suspicious File created </description> > > </rule> > > > I see the output coming with logall enabled : > > > # tail -f ../logs/archives/archives.log > > /test/..test1 > > /test/.test4 > > /test/.test1 > > /test/..test5 > > /test/.test3 > > /test/..test6 > > /test/..test2 > > /test/..test4 > > /test/.test2 > > /test/..test3 > > > I added some and run the agent scans again ...Nothing > > > No alert , no anything ! > > > What am I doing wrong ? > > > Thank you all!
