For those that might come across the same issue - I was actually able to resolve this
I noticed that the STORE now was being sent before the ssh banner was displayed and this was capturing the last login timestamp. So my first attempt i changed my spwan to spawn ssh -q $hostname This was OK for most of the servers, however some were still showing mixed outputs. The STORE now was still being shown at different output stages when a banner and motd is used. This seemed random - so I guessed that the terminal was responding at different speeds to the spwan session. Adding a sleep immediately after the spwan resolved this. spawn ssh -q $hostname sleep 2 Here is the full ssh_generic_diff script with the simple changes: # Main script source "agentless/main.exp" # SSH to the box and pass the directories to check if [catch { spawn ssh -q $hostname sleep 2 } loc_error] { send_user "ERROR: Opening connection: $loc_error.\n" exit 1; } source $sshsrc source $susrc set timeout 300 send_user "INFO: Starting.\n" send_user "\nSTORE: now\n" send "$args\r" send "exit\r" expect { timeout { send_user "ERROR: Timeout while running commands on host: $hostname .\n" exit 1; } eof { send_user "\nINFO: Finished.\n" exit 0; } } exit 0; On Monday, 4 June 2018 20:12:31 UTC+1, Mike wrote: > > > Can anyone advise me on how to stop ssh_generic_diff from processing the > lastlogin banner? > > ossec: agentless: Change detected: > 3c3 > < Last login: Mon Jun 4 17:40:43 2018 from 192.168.10.2 > --- > > Last login: Mon Jun 4 19:02:20 2018 from 192.168.10.2 > > Why does ssh_generic_diff process the login banner instead of only the > command I pass as an argument? > > Thanks. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.