OSSEC can monitor more than just logfiles; it can also monitor the output of commands. OSSEC can leverage its log analysis engine using rules and decoders to alert when a command outputs a certain string. OSSEC can also leverage its file integrity monitoring facilities to alert when the output of a command changes from the previous run. We'll look at a few examples where this might be useful.
OSSEC treats command output as log entries. OSSEC has two options for command monitoring:
full_command. The difference is how OSSEC handles the output. When using the
command variation, every line of output is treated as an individual log entry and analyzed independently. When using the