On Wed, Aug 21, 2013 at 9:20 AM, Zhang Wei <[email protected]> wrote: > The OSSEC version is 2.7.1 beta1 > > The scenario is like below: > 1. I wrote the customized decoder XML and rule for monitoring one App's log > file. > 2. The decoder and rule work well. The alert has been triggered and mail > sent when the new matched rule log entry added into log file. > 3. But the case happens when another new log entry appended in log file. > > Issue: > [the first matched log entry and the new appended matched log entry combined > together for sending mail ] > > Expected result: > [Only the new added log entry which matched the rule could be included in > the alert scope.] > > > > > The log file is like below (ignore the list number): > > 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 > 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 > 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 > 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 > > > The decoder rule is only report [AppError] log entry. > When the #1 log entry added into log file(match rule), the alert is > triggered and email sent. (Works good) > When the #2 log entry added into log file(doesn't match), the alert is still > triggered and the mail content is the #1 log entry. (the first old matched > log entry still reported) > When the #3 log entry added into log file(doesn't match), the alert is still > triggered and the mail content is the #1 log entry. (the first old matched > log entry still reported) > When the #4 log entry added into log file(match rule), the alert is > triggered and the mail content is #1 + #2 log entry together. (combined two > matched log entry) > > > My concern is why the system always reports all matched log entry instead of > just report new added one according to the time stamp? > >
Does the inode update when new entries are added? (Perhaps OSSEC thinks this is a new file) Other than that, no ideas. There isn't enough data to go on. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
