Here's what the line looks like in archives.log (using the logall option): 2011 Dec 05 17:27:37 ix->find-dots2 ossec: output: 'find-dots2': |-----------------------------------------------------| This is a header of sorts, so the line really starts at "ossec:". All aliased commands should start out the same way.
On Mon, Dec 5, 2011 at 7:45 PM, alsdks <[email protected]> wrote: > Hello Dan, > > I do not know if that space was the only problem but with it gone and > the alias in single quotation marks,it did the trick . > > While searching for the proper syntax I have seen it written with > various ways like > > <match>ossec: output: 'find-dots2 </match> (single quotation mark) > <match>ossec: output: 'find-dots2': </match> (two single quotation > marks before and after with colon) > double quotation marks , space after etc etc etc ..... > > This is what works > <match>ossec: output: 'find-dots2'</match> > > Thank you > > On Dec 5, 10:54 pm, "dan (ddp)" <[email protected]> wrote: >> On Thu, Dec 1, 2011 at 6:42 PM, alsdks <[email protected]> wrote: >> > Hi list , >> >> > I have been trying to set up a command to detect files starting with >> > dot or double dot (. ..) But whatever I do I do not get an alert for >> > it .Here is my configuration : >> >> > command at agent's ossec.conf: >> >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>find /test -name '.*'</command> >> > <alias>find-dots2</alias> >> > <frequency>300</frequency> >> > </localfile> >> >> > rule specification at server local_rules.xml >> >> > <rule id="100108" level="10"> >> > <if_sid>530</if_sid> >> > <match>ossec: output: 'find-dots2' </match> >> >> I haven't been able to get it to work just yet, but did notice that >> you have a space between 'find-dots2' and </match>. >> It works with logtest, just haven't seen an alert in "production." >> >> >> >> >> >> >> >> > <check_diff /> >> > <description> Suspicious File created </description> >> > </rule> >> >> > I see the output coming with logall enabled : >> >> > # tail -f ../logs/archives/archives.log >> > /test/..test1 >> > /test/.test4 >> > /test/.test1 >> > /test/..test5 >> > /test/.test3 >> > /test/..test6 >> > /test/..test2 >> > /test/..test4 >> > /test/.test2 >> > /test/..test3 >> >> > I added some and run the agent scans again ...Nothing >> >> > No alert , no anything ! >> >> > What am I doing wrong ? >> >> > Thank you all!
