Hi Dan, Thank you so much for your help. It was that. I changed the config on the agent to <command> from <full_command> and the output was sent in one line instead of two.
Thanks again for your help. Much appreciated. On 30 December 2013 21:33, dan (ddp) <[email protected]> wrote: > On Mon, Dec 30, 2013 at 3:29 PM, Robert Micallef <[email protected]> > wrote: > > Yes but all from log monitoring. But I checked just now, and it has been > > running for some time now and I still can't see an alert. One thing I > > noticed is that without the custom decoder and having the rule set to > match > > the output and alert when it sees any number by using the regex "/d" > alerts > > are generated (although not for over 80% as I need it) which could mean > that > > the regex is not matching the actual log. As I posted earlier, in > > archives.log I find the following log: > > > > 2013 Dec 30 15:26:28 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: > > 'mem-usage': > > 71% > > > > The percentage is always in a line beneath the log. I don't know if that > > makes a difference. > > > > In ossec-logtest I input the following as a single line to test: > > ossec: output: 'mem-usage': 71% > > > > Yeah, that might make a difference. ossec-logtest doesn't really work > with multi-line logs, so it probably isn't matching. > I'm not entirely sure how to account for that log silliness off hand, > I'd have to play around with it. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
