Yes, it is even included in the default rules already:
<rule id="531" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'df -h': /dev/</match>
<regex>100%</regex>
<description>Partition usage reached 100% (disk space monitor).</description>
<group>low_diskspace,</group>
</rule>
You just have to override it and change from 100% to 80%.
Thanks,
On Tue, Sep 28, 2010 at 11:01 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Sep 28, 2010 at 9:37 AM, William Maddler <n...@maddler.net> wrote:
>> On 28/09/2010 15:16, George Ochola wrote:
>>> Hi all
>>>
>>> How do i configure OSSEC to send an alert when a Unix file system is may
>>> be 80% full as opposed to the alert sent when the file system is full
>>>
>>> I need to clear the file system before it reaches 100% mark,
>>>
>>>
>>> Kind Regards
>>>
>>> George O.
>>>
>>>
>>>
>>
>> Hello, not sure this can be achieved using Ossec. You could use a
>> cronjob with a script like:
>>
>> #!/bin/sh
>> PART="sda2"
>> FREE=`df -h | grep $PART | gawk {'print $5'} | sed "s/%//"`
>> MAX=90
>>
>> if [ $FREE -gt 80 ]; then
>> echo "Filesystem occupation on $PART > than $MAX" >>
>> /var/log/diskcheck
>> fi
>>
>> And create a rule to handle such an alert.
>>
>> Hope it helps.
>>
>> William
>>
>>
>>
>
> The full_command option should be able to help with this:
> http://www.ossec.net/dcid/?p=198
>
