Thanks for the reply. Yes, the inode number is updated when new entry added. So do you have any idea to just detect the latest log entry without include all old entries?
On Wednesday, August 21, 2013 9:26:24 PM UTC+8, dan (ddpbsd) wrote: > > On Wed, Aug 21, 2013 at 9:20 AM, Zhang Wei <[email protected]<javascript:>> > wrote: > > The OSSEC version is 2.7.1 beta1 > > > > The scenario is like below: > > 1. I wrote the customized decoder XML and rule for monitoring one App's > log > > file. > > 2. The decoder and rule work well. The alert has been triggered and mail > > sent when the new matched rule log entry added into log file. > > 3. But the case happens when another new log entry appended in log file. > > > > Issue: > > [the first matched log entry and the new appended matched log entry > combined > > together for sending mail ] > > > > Expected result: > > [Only the new added log entry which matched the rule could be included > in > > the alert scope.] > > > > > > > > > > The log file is like below (ignore the list number): > > > > 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 > > 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 > > 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 > > 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 > > > > > > The decoder rule is only report [AppError] log entry. > > When the #1 log entry added into log file(match rule), the alert is > > triggered and email sent. (Works good) > > When the #2 log entry added into log file(doesn't match), the alert is > still > > triggered and the mail content is the #1 log entry. (the first old > matched > > log entry still reported) > > When the #3 log entry added into log file(doesn't match), the alert is > still > > triggered and the mail content is the #1 log entry. (the first old > matched > > log entry still reported) > > When the #4 log entry added into log file(match rule), the alert is > > triggered and the mail content is #1 + #2 log entry together. (combined > two > > matched log entry) > > > > > > My concern is why the system always reports all matched log entry > instead of > > just report new added one according to the time stamp? > > > > > > Does the inode update when new entries are added? (Perhaps OSSEC > thinks this is a new file) > > Other than that, no ideas. There isn't enough data to go on. > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
