Aaaaaah, there we go! Thanks a million for quick replies Dan.
For whom ever stumbles on my case facing the same problem, here is the
fixed configuration:
<localfile>
<log_format>full_command</log_format>
<command>ps -eo cmd |grep arpwatch</command>
<alias>ARPWATCH-check</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>ps -eo cmd |grep dumpcap |sed -e
"s/\/[0-9]*-[0-9]*-[0-9]*\///g"</command>
<alias>DUMPCAP-check</alias>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>ps -eo cmd |grep com.objectplanet.probe</command>
<alias>NETWORKPROBE-check</alias>
</localfile>
----------------------------------
<rule id="100080" level="7">
<if_sid>530</if_sid>
<hostname>thePC</hostname>
<match>ossec: output: 'ARPWATCH-check':</match>
<check_diff />
<description>ARPWATCH is not running</description>
</rule>
<rule id="100081" level="7">
<if_sid>530</if_sid>
<hostname>thePC</hostname>
<match>ossec: output: 'DUMPCAP-check':</match>
<check_diff />
<description>TrafficDump is not running</description>
</rule>
<rule id="100082" level="7">
<if_sid>530</if_sid>
<hostname>thePC</hostname>
<match>ossec: output: 'NETWORKPROBE-check':</match>
<check_diff />
<description>NETWORK PROBE is not running</description>
</rule>
