I created a new decoder/rule to monitor an agent's logfile.
It's sending me alerts which is great but it seems to be sending alerts
from OLD entries.
How can I adjust this so that ossec will only send new entries but ignore
the old ones?
Here is my decoders.xml and rules file:
<decoder name="php-log">
<prematch>^\p\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d\p PHP Fatal
error:</prematch>
</decoder>
<decoder name="php-log-alert">
<parent>php-log</parent>
<regex offset="after_parent">^ PHP Fatal Error</regex>
<order>srcip</order>
</decoder>
Rules:
<group name="syslog,log,">
<rule id="110000" level="0">
<decoded_as>php-log</decoded_as>
<description>PHP custom log group.</description>
</rule>
<rule id="110001" level="11">
<if_sid>110000</if_sid>
<options>alert_by_email</options>
<match>PHP Fatal Error</match>
<description>PHP Error???</description>
</rule>
</group>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
