On Fri, Dec 7, 2012 at 12:47 PM, Brenden Walker <[email protected]> wrote: > On Fri, 7 Dec 2012 12:31:24 -0500 "dan (ddp)" <[email protected]> wrote: >> On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker >> <[email protected]> wrote: >> > I'm trying to monitor a few websites for changes, I followed some >> > examples online other than needing to change http:\\ to http/\\ in >> > the match (that's how it appears in archives.log): >> > >> > >> > Added to ossec.conf >> > >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>wget -o /dev/null -O - http://www.poxodd.com | >> > sha1sum</command> <frequency>7200</frequency> >> > </localfile> >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>wget -o /dev/null -O - http://www.unruleable.org/blog/ >> > | sha1sum</command> <frequency>7200</frequency> >> > </localfile> >> > >> >> Use <alias>es to better differentiate between these commands. > > Figures I was missing something simple. Any idea how ossec differentiates > these? When I changed my config to a call to checksites.sh I got this: > > Received From: goonsquad->/opt/ossec/checksites.sh > Rule: 150013 fired (level 10) -> "Website change detected" > Portion of the log(s): > > ossec: output: '/opt/ossec/checksites.sh': > www.poxodd.com > 9506ac8e36f9727c2567d7ee90d117cb557b24d9 - > www.unruleable.org/blog/ > 81ddc99e3c2ee60518a3b219f561117185284bf0 - > www.diablops.com > 83626f4b502af0e55329cc6634078b6bf7ca2443 - > gta.diablps.com > 68e498cf5f10bef32d8fc0a0b4e9ffbc79832861 - > Previous output: > ossec: output: 'wget -o /dev/null -O - http\//gta.diablops.com | sha1sum': > 58aaa26e0e263ced83260b07abba280b84d3df39 - > > > Which leads me to believe that an alias is required for command output > entries, otherwise they'd all get muddled up??
I'm fighting a horrible headache at the moment, so I'm probably missing something simple here. Originally you had 3 commands, all of them the same except for a small bit. Since the differences were deep enough into the command the output was getting mixed up. So did adding an alias to each of those commands help? When the commands aren't basically the same they don't get mixed up. I personally think aliases make things easier, so I always use them.
