On Oct 28, 2013 3:47 PM, "Gabriel Holder" <[email protected]> wrote: > > I created a new decoder/rule to monitor an agent's logfile. > It's sending me alerts which is great but it seems to be sending alerts from OLD entries. > How can I adjust this so that ossec will only send new entries but ignore the old ones? >
Does the inode of the log file change everytime this happens? > Here is my decoders.xml and rules file: > <decoder name="php-log"> > <prematch>^\p\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d\p PHP Fatal error:</prematch> > </decoder> > > <decoder name="php-log-alert"> > <parent>php-log</parent> > <regex offset="after_parent">^ PHP Fatal Error</regex> > <order>srcip</order> > </decoder> > > Rules: > <group name="syslog,log,"> > <rule id="110000" level="0"> > <decoded_as>php-log</decoded_as> > <description>PHP custom log group.</description> > </rule> > > <rule id="110001" level="11"> > <if_sid>110000</if_sid> > <options>alert_by_email</options> > <match>PHP Fatal Error</match> > <description>PHP Error???</description> > </rule> > </group> > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
