It appends the processed diff output of two files to the log I monitor with OSSEC. So if the diff output is 20 lines , then the script appends 20 lines at once to the monitored log .
What I did to test and saw that the interval between each entry seems to matter is do a simple #echo "message_I_am_decoding" >> logfile_I_am_monitoring When I did it fast , OSSEC was loosing some of them .If I waited for a couple of secs between each echo ,OSSEC retrived them all . Thank you On Feb 7, 1:28 pm, "dan (ddp)" <[email protected]> wrote: > On Tue, Feb 7, 2012 at 5:40 AM, alsdks <[email protected]> wrote: > > Hello list, > > > I have a question about OSSEC log file monitoring . I have configured > > OSSEC to monitor a file log which I populate with the output of a > > script. I have also created accompanying decoder and alert rules. > > How does the script add entries to the log file? I'll try to test this > out when I get some free time. > > > > > > > > > Every configuration works as expected , but there is a strange > > problem, that OSSEC misses on some entries like losing events. > > > For example : if we have 10 entries of the same event , Ossec may have > > missed 2 or 3 out of them . > > > Also this seems to be a frequency problem . For example If I add each > > entry with a delay between them , a couple of secs , OSSEC catches all > > of them .But if I enter them all at once, as the script does , OSSEC > > misses some of them. > > > Is there a way to check how OSSEC reads the log file and why it misses > > some of the entries ? > > > I have to note that the log file does not have a date for each entry , > > as I am not interested as to when the event happened , but rather if > > the event repeated x times . > > > Thank you
