If you provide some sample logs and your custom decoders/rules, someone might be able to reproduce the problem and help.
On Wednesday, August 21, 2013 6:20:10 AM UTC-7, Zhang Wei wrote: > > The OSSEC version is 2.7.1 beta1 > > *The scenario is like below:* > 1. I wrote the customized decoder XML and rule for monitoring one App's > log file. > 2. The decoder and rule work well. The alert has been triggered and mail > sent when the new matched rule log entry added into log file. > 3. But the case happens when another new log entry appended in log file. > * > * > *Issue:* > [the first matched log entry and the new appended matched log entry > combined together for sending mail ] > > *Expected result:* > [Only the new added log entry which matched the rule could be included in > the alert scope.] > > > > > *The log file is like below (ignore the list number):* > > 1. 2013-08-01 14:32:10 [AppError]@IP:10.1.1.1 > 2. 2013-08-01 14:38:40 [AppInfo]@IP:10.1.1.1 > 3. 2013-08-01 14:42:05 [AppTest]@IP:10.1.1.1 > 4. 2013-08-01 14:52:18 [AppError]@IP:10.1.1.1 > > > *The decoder rule is only report [AppError] log entry.* > When the #1 log entry added into log file(match rule), the alert is > triggered and email sent. (Works good) > When the #2 log entry added into log file(doesn't match), the alert is > still triggered and the mail content is the #1 log entry. (the first old > matched log entry still reported) > When the #3 log entry added into log file(doesn't match), the alert is > still triggered and the mail content is the #1 log entry. (the first old > matched log entry still reported) > When the #4 log entry added into log file(match rule), the alert is > triggered and the mail content is #1 + #2 log entry together. (combined two > matched log entry) > > > *My concern is why the system always reports all matched log entry > instead of just report new added one according to the time stamp?* > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
