Got it. Finally it turns out append log into log file won't change inode, but add new log entry with VIM to open logfile will change.
On Thursday, August 22, 2013 9:10:17 PM UTC+8, dan (ddpbsd) wrote: > > On Wed, Aug 21, 2013 at 9:36 PM, Zhang Wei <[email protected]<javascript:>> > wrote: > > Thanks for the reply. Yes, the inode number is updated when new entry > > added. So do you have any idea to just detect the latest log entry > without > > include all old entries? > > > > Not really. I'd have to check the code, but I imagine a new inode > signals a new log file, and all entries in new log files should be > assessed. > > > On Wednesday, August 21, 2013 9:26:24 PM UTC+8, dan (ddpbsd) wrote: > >> > >> On Wed, Aug 21, 2013 at 9:20 AM, Zhang Wei <[email protected]> > wrote: > >> > The OSSEC version is 2.7.1 beta1 > >> > > >> > The scenario is like below: > >> > 1. I wrote the customized decoder XML and rule for monitoring one > App's > >> > log > >> > file. > >> > 2. The decoder and rule work well. The alert has been triggered and > mail > >> > sent when the new matched rule log entry added into log file. > >> > 3. But the case happens when another new log entry appended in log > file. > >> > > >> > Issue: > >> > [the first matched log entry and the new appended matched log entry > >> > combined > >> > together for sending mail ] > >> > > >> > Expected result: > >> > [Only the new added log entry which matched the rule could be > included > >> > in > >> > the alert scope.] > >> > > >> > > >> > > >> > > >> > The log file is like below (ignore the list number): > >> > > >> > 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 > >> > 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 > >> > 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 > >> > 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 > >> > > >> > > >> > The decoder rule is only report [AppError] log entry. > >> > When the #1 log entry added into log file(match rule), the alert is > >> > triggered and email sent. (Works good) > >> > When the #2 log entry added into log file(doesn't match), the alert > is > >> > still > >> > triggered and the mail content is the #1 log entry. (the first old > >> > matched > >> > log entry still reported) > >> > When the #3 log entry added into log file(doesn't match), the alert > is > >> > still > >> > triggered and the mail content is the #1 log entry. (the first old > >> > matched > >> > log entry still reported) > >> > When the #4 log entry added into log file(match rule), the alert is > >> > triggered and the mail content is #1 + #2 log entry together. > (combined > >> > two > >> > matched log entry) > >> > > >> > > >> > My concern is why the system always reports all matched log entry > >> > instead of > >> > just report new added one according to the time stamp? > >> > > >> > > >> > >> Does the inode update when new entries are added? (Perhaps OSSEC > >> thinks this is a new file) > >> > >> Other than that, no ideas. There isn't enough data to go on. > >> > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
