Remember that in <match>, the pipe symbol | has special meaning: "or"
On Nov 23, 2012 1:51 PM, "JPZ" <[email protected]> wrote: > > Aaaaaah, there we go! Thanks a million for quick replies Dan. > > > For whom ever stumbles on my case facing the same problem, here is the fixed configuration: > > > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep arpwatch</command> > <alias>ARPWATCH-check</alias> > > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep dumpcap |sed -e "s/\/[0-9]*-[0-9]*-[0-9]*\///g"</command> > <alias>DUMPCAP-check</alias> > > </localfile> > <localfile> > <log_format>full_command</log_format> > <command>ps -eo cmd |grep com.objectplanet.probe</command> > <alias>NETWORKPROBE-check</alias> > </localfile> > ---------------------------------- > > <rule id="100080" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'ARPWATCH-check':</match> > > <check_diff /> > <description>ARPWATCH is not running</description> > </rule> > > <rule id="100081" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'DUMPCAP-check':</match> > <check_diff /> > <description>TrafficDump is not running</description> > > </rule> > <rule id="100082" level="7"> > <if_sid>530</if_sid> > <hostname>thePC</hostname> > <match>ossec: output: 'NETWORKPROBE-check':</match> > <check_diff /> > <description>NETWORK PROBE is not running</description> > </rule> > >
