On Fri, Aug 13, 2010 at 6:17 AM, [email protected]
<[email protected]> wrote:
> Hi OSSEC Lovers,
>
> Is there any way to monitor to get all service alert of the linux box
> as mail.
>
> For Eg
>
> service httpd start/stop/restart
> or /etc/init.d/httpd start/stop/restart
>
> Thankyou in Advance
>
> Regards,
> Anoop Mohan
I don't think 'service' logs its usage. You could add a line to output
a log to the logger application in the init scripts, or you could
figure out the logs from the service and make sure there are rules for
those.
For example, the following lines from my apache error_log file are a
startup and a shutdown.
[Tue Oct 13 12:47:19 2009] [notice] Apache configured -- resuming
normal operations
[Tue Oct 13 12:47:27 2009] [notice] caught SIGTERM, shutting down
Feeding the first one through ossec-logtest gives me the following:
# /var/ossec/bin/ossec-logtest
ossec-testrule: Type one log per line.
[Tue Oct 13 12:47:19 2009] [notice] Apache configured -- resuming
normal operations
**Phase 1: Completed pre-decoding.
full event: '[Tue Oct 13 12:47:19 2009] [notice] Apache
configured -- resuming normal operations'
hostname: 'ix'
program_name: '(null)'
log: '[notice] Apache configured -- resuming normal operations'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30103'
Level: '0'
Description: 'Apache notice messages grouped.'
So there is NO rule for an apache startup (or at least this startup
message). And the shutdown message gives me roughly the same output.
The following rule would give you an alert (after replacing the stuff
in CAPS with appropriate values) when apache starts up:
<rule id="SOME_NUMBER_HERE" level="WHATEVER_LEVEL_YOU_WANT">
<if_sid>30103</if_sid>
<match>Apache configured -- resuming normal operations</match>
<description>Apache started.</description>
</rule>
