I recently setup Ossec to monitor a specific logfile for an agent.
It seems to be sending emails/alerts from previous entries. How can I make
sure ossec only cares about new entries?
Second, but not as important, when I run syscheck-control -i ID that log
file does not show up on the list yet I still receive emails when it is
modified. How can I change that?
Here is my decoder and rules file:
<decoder name="php-log">
<prematch>^\p\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d\p PHP Fatal
error:</prematch>
</decoder>
<decoder name="php-log-alert">
<parent>php-log</parent>
<regex offset="after_parent">^ PHP Fatal Error</regex>
<order>srcip</order>
</decoder>
Rules:
<group name="syslog,log,">
<rule id="110000" level="0">
<decoded_as>php-log</decoded_as>
<description>PHP custom log group.</description>
</rule>
<rule id="110001" level="11">
<if_sid>110000</if_sid>
<options>alert_by_email</options>
<match>PHP Fatal Error</match>
<description>PHP Error???</description>
</rule>
</group>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
