Hi Jesus Linares, Thanks you for responsing my stack :). I've check */var/ossec/logs/archives/archives.log *and there is nothing in there, i mean there is no character in the log. I've also review my rules, and there isn't any errors :(.
I've read documents about *Localfile *using *full_command* and found this full_command > > This format will be the output from the command (as run by root) defined > by command > <http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/index.html#command>. > > The entire output will be treated as a *single log*. > So, does the second results of *full_command *overwrited the first command results? Or are my rules wrong in logical? Here is my log generated in *alert.jsons:* {"rule":{"level":3,"comment":"Change detected on *http://siteA.com/*.","sidid":100001,"firedtimes":7,"groups":["local","syslog"]},"full_log":"ossec: > output: 'curl *http\\//siteA.com/* | grep title | > sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 > -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 > 16:26:34","location":"curl *http\\//siteA.com/* | grep title | sha1sum"} > > {"rule":{"level":3,"comment":"Change detected on > *http://siteA.com/*.","sidid":100001,"firedtimes":8,"groups":["local","syslog"]},"full_log":"ossec: > > output: 'curl *http\\//siteB.com* | grep title | > sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 > -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 > 16:26:34","location":"curl *http\\//siteB.com* | grep title | sha1sum"} > > {"rule":{"level":3,"comment":"Change detected on > *http://siteA.com/*.","sidid":100001,"firedtimes":9,"groups":["local","syslog"]},"full_log":"ossec: > > output: 'curl *http\\//siteA.com/* | grep title | > sha1sum':\n*da39a3ee5e6b4b0d3255bfef95601890afd80709 > -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 > 16:26:38","location":"curl *http\\//siteA.com/* | grep title | sha1sum"} > > {"rule":{"level":3,"comment":"Change detected on > *http://siteA.com/*.","sidid":100001,"firedtimes":10,"groups":["local","syslog"]},"full_log":"ossec: > > output: 'curl *http\\//siteB.com* | grep title | > sha1sum':\n*4eb7d4cc1b4bf5a7aff57b0502e091944d3e4252 > -*","decoder":{"name":"ossec"},"hostname":"mx","timestamp":"2016 Aug 12 > 16:26:38","location":"curl *http\\//siteB.com* | grep title | sha1sum"} Thanks you - Have a good day - Vào 15:51:49 UTC+7 Thứ Tư, ngày 10 tháng 8 năm 2016, Jesus Linares đã viết: > > Hi, > > review the event generated with the command in > /var/ossec/logs/archives/archives.log. Then, use the binary > /var/ossec/bin/ossec-logtest to review your rules. > > Regards. > > On Tuesday, August 9, 2016 at 11:18:10 AM UTC+2, Trần Khoa wrote: >> >> Hi everyone, >> I have followed detecting deface website technique from blog.rootshell.be >> <https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/> >> . >> I have used this technique for 2 different domains, but the first rule is >> always triggered. >> I dont know if i'm wrong in configuration rule or there can not be any >> solution to check 2 sites at the same time? >> >> Here is my configure of OSSEC: >> >> In my ossec.conf, i've added 2 *<localfile>* with 2 different domains: >> >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>curl http://siteA.com/ | grep title | sha1sum</command> >>> <frequency>5</frequency> >>> </localfile> >> >> >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>curl http://siteB.com/ | grep title | sha1sum</command> >>> <frequency>5</frequency> >>> </localfile> >> >> >> And in Local_rules, i've defined 2 rules in the one group: >> >> <rule id="100001" level="10"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'curl http://siteA.com/ | grep title | >>> sha1sum</match> >>> <check_diff /> >>> <description>Change detected on http://siteA.com/.</description> >>> </rule> >>> <rule id="100002" level="10"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'curl http://siteB.com/ | grep title | >>> sha1sum</match> >>> <check_diff /> >>> <description>Change detected on http://siteB.com/.</description> >>> </rule> >> >> >> Thanks you >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
