On Fri, 7 Dec 2012 12:31:24 -0500 "dan (ddp)" <[email protected]> wrote: > On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker > <[email protected]> wrote: > > I'm trying to monitor a few websites for changes, I followed some > > examples online other than needing to change http:\\ to http/\\ in > > the match (that's how it appears in archives.log): > > > > > > Added to ossec.conf > > > > <localfile> > > <log_format>full_command</log_format> > > <command>wget -o /dev/null -O - http://www.poxodd.com | > > sha1sum</command> <frequency>7200</frequency> > > </localfile> > > <localfile> > > <log_format>full_command</log_format> > > <command>wget -o /dev/null -O - http://www.unruleable.org/blog/ > > | sha1sum</command> <frequency>7200</frequency> > > </localfile> > > > > Use <alias>es to better differentiate between these commands.
Figures I was missing something simple. Any idea how ossec differentiates these? When I changed my config to a call to checksites.sh I got this: Received From: goonsquad->/opt/ossec/checksites.sh Rule: 150013 fired (level 10) -> "Website change detected" Portion of the log(s): ossec: output: '/opt/ossec/checksites.sh': www.poxodd.com 9506ac8e36f9727c2567d7ee90d117cb557b24d9 - www.unruleable.org/blog/ 81ddc99e3c2ee60518a3b219f561117185284bf0 - www.diablops.com 83626f4b502af0e55329cc6634078b6bf7ca2443 - gta.diablps.com 68e498cf5f10bef32d8fc0a0b4e9ffbc79832861 - Previous output: ossec: output: 'wget -o /dev/null -O - http\//gta.diablops.com | sha1sum': 58aaa26e0e263ced83260b07abba280b84d3df39 - Which leads me to believe that an alias is required for command output entries, otherwise they'd all get muddled up??
