On Wed, Aug 21, 2013 at 9:36 PM, Zhang Wei <[email protected]> wrote: > Thanks for the reply. Yes, the inode number is updated when new entry > added. So do you have any idea to just detect the latest log entry without > include all old entries? >
Not really. I'd have to check the code, but I imagine a new inode signals a new log file, and all entries in new log files should be assessed. > On Wednesday, August 21, 2013 9:26:24 PM UTC+8, dan (ddpbsd) wrote: >> >> On Wed, Aug 21, 2013 at 9:20 AM, Zhang Wei <[email protected]> wrote: >> > The OSSEC version is 2.7.1 beta1 >> > >> > The scenario is like below: >> > 1. I wrote the customized decoder XML and rule for monitoring one App's >> > log >> > file. >> > 2. The decoder and rule work well. The alert has been triggered and mail >> > sent when the new matched rule log entry added into log file. >> > 3. But the case happens when another new log entry appended in log file. >> > >> > Issue: >> > [the first matched log entry and the new appended matched log entry >> > combined >> > together for sending mail ] >> > >> > Expected result: >> > [Only the new added log entry which matched the rule could be included >> > in >> > the alert scope.] >> > >> > >> > >> > >> > The log file is like below (ignore the list number): >> > >> > 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 >> > 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 >> > 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 >> > 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 >> > >> > >> > The decoder rule is only report [AppError] log entry. >> > When the #1 log entry added into log file(match rule), the alert is >> > triggered and email sent. (Works good) >> > When the #2 log entry added into log file(doesn't match), the alert is >> > still >> > triggered and the mail content is the #1 log entry. (the first old >> > matched >> > log entry still reported) >> > When the #3 log entry added into log file(doesn't match), the alert is >> > still >> > triggered and the mail content is the #1 log entry. (the first old >> > matched >> > log entry still reported) >> > When the #4 log entry added into log file(match rule), the alert is >> > triggered and the mail content is #1 + #2 log entry together. (combined >> > two >> > matched log entry) >> > >> > >> > My concern is why the system always reports all matched log entry >> > instead of >> > just report new added one according to the time stamp? >> > >> > >> >> Does the inode update when new entries are added? (Perhaps OSSEC >> thinks this is a new file) >> >> Other than that, no ideas. There isn't enough data to go on. >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
