I want to collect only the latest logs for "bash_history"

[blueack]

I will import the bash_history of the server with wazuh 'localfile'

I need to do is create an alert for every new line in the bash_history file

Decoder, rule, agent.conf and localfile settings are complete
But you don't just get the last log, you receive the entire log
I want is there a way to get only the latest logs

■ ■ agent.conf
<localfile>
<location>/root/.bash_history</location>
<log_format>syslog</log_format>
<out_format>$(timestamp) $(hostname) history: $(log)</out_format>
</localfile>

■ ■ local_rules.xml
<group name="history,">
<rule id="100010" level="3">
<decoded_as>history</decoded_as>
<description>history command</description>
</rule>
</group>

■ ■ local_decoder.xml
<decoder name="history">
<program_name>history</program_name>
</decoder>

[Juan Nicolás Asselle (Nico Asselle)]

Hi blueack,

By default, `localfiles` blocks start by going to the end of the file, reading and sending incoming new lines in real-time. In case you want to keep track of the last read line in case the wazuh agent stops, `only-future-events` feature https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#only-future-events.

But you mention that this is not happening. This is so? Could you give us an example of use?

Regards,

Nico