Perhaps a script in powershell or something would be appropriate for this? I don't have the skills to do it, but I'd definitely promote any attempts to get this working.
A script combined with the full_command option in OSSEC could probably make this work, I just don't know how easy something like this would be to script on Windows. On Wed, Sep 29, 2010 at 11:49 AM, Jefferson, Shawn <shawn.jeffer...@bcferries.com> wrote: > Or > > fsutil volume diskfree C: > > Total # of free bytes : 18446315520 > Total # of bytes : 80023715840 > Total # of avail free bytes : 18446315520 > > Still you would need to parse the results and perform some calculations. > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of Rich Rumble > Sent: Wednesday, September 29, 2010 6:20 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] How to Configure ossec to alert when the file > system is 80% full > > wmic logicaldisk where name="c:" get freespace, size > Then you'd have to compare the results... > > The output looks like this: > C:\>wmic logicaldisk where name="c:" get freespace, size > FreeSpace Size > 16238436352 80024170496 > > If C: isn't the proper system root, then try > > wmic logicaldisk where name="%systemdrive%" get freespace, size > > From that point I don't know how to get OSSEC to parse the data > but it's the easiest method I can think of to grab the data. > -rich >
