The OSSEC version is 2.7.1 beta1 *The scenario is like below:* 1. I wrote the customized decoder XML and rule for monitoring one App's log file. 2. The decoder and rule work well. The alert has been triggered and mail sent when the new matched rule log entry added into log file. 3. But the case happens when another new log entry appended in log file. * * *Issue:* [the first matched log entry and the new appended matched log entry combined together for sending mail ]
*Expected result:* [Only the new added log entry which matched the rule could be included in the alert scope.] *The log file is like below (ignore the list number):* 1. 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 2. 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 3. 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 4. 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 *The decoder rule is only report [AppError] log entry.* When the #1 log entry added into log file(match rule), the alert is triggered and email sent. (Works good) When the #2 log entry added into log file(doesn't match), the alert is still triggered and the mail content is the #1 log entry. (the first old matched log entry still reported) When the #3 log entry added into log file(doesn't match), the alert is still triggered and the mail content is the #1 log entry. (the first old matched log entry still reported) When the #4 log entry added into log file(match rule), the alert is triggered and the mail content is #1 + #2 log entry together. (combined two matched log entry) *My concern is why the system always reports all matched log entry instead of just report new added one according to the time stamp?* -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
