On Tue, 11 Dec 2012 10:39:19 -0400 Daniel Cid <daniel....@gmail.com> wrote: > Hi Brenden, > > In your initial rule, the match syntax was wrong: > > <match>ossec: output: 'wget -o /dev/null -O - > http\//www.unruleable.org/blog/ | sha1sum'</match> > > OSSEC was actually looking for the string sha1sum OR the command > output name ( | sha1sum we treat as a > separator).
Ah, I seee... > As for the key, we use the rule id as the storage key, so you would > need a different rule for each > one of those sites. Thanks, I believe I based my work off an article you wrote. One thing for sure, http:// is not right as it ends up logging as http\// Thanks for the details, I think I'm in business now.. aliases really help with this as it makes the match simpler I think.