Only exact values, unfortunately.
That type of logic will need to be in the script, rather than the alert.
Maybe set it up to output error message 1 if space used is below a
safe threshold, and a second error message if the value >= that
threshold.
Frankly, OSSEC probably isn't the best place to be doing this
checking. Something like Nagios is much better suited for the task.
On Thu, Sep 30, 2010 at 8:14 AM, smokey <dean.borst...@gmail.com> wrote:
> Here is one simple script which does almost the same as wmic.
>
> cscript checkfreespace.vbs and you can even send the output to a log
> file for Ossec.
> You can manipulate with values to get "%" of used space.
>
> But will ossec trigger alarm if the used space jumps from, let say,
> 66% to 79% and when next time scripts executes it jumps to 81%
> In Ossec rule you have specified to 80% of used space, does regex
> recognize only exact values or can be used with " > < =" operators?
>
>
> script:
> ---
>
> Sub GetFreeSpace(Drive)
> strComputer = "."
> Set objWMIService = GetObject( _
> "winmgmts:\\" & strComputer & "\root\cimv2")
> Set colItems = objWMIService.ExecQuery _
> ("Select * From Win32_LogicalDisk Where DeviceID = '" & Drive &
> "'")
>
> For Each objItem in colItems
> intFreeSpace = objItem.FreeSpace
> intSize = objItem.Size
>
> Next
>
> If Drive="C:" Then
> PartCFree = intFreeSpace
> PartCSize = intSize
> End If
>
> If Drive="E:" Then
> PartEFree = intFreeSpace
> PartESize = intSize
> End If
>
> If Drive="F:" Then
> PartFFree = intFreeSpace
> PartFSize = intSize
> End If
>
> End Sub
> -
> d
>
> On Sep 29, 6:36 pm, Rich Rumble <richrum...@gmail.com> wrote:
>> powershell isn't as universal as wmi, so I chose wmic (the cli
>> installed on xp on up)
>> ps isn't part of XP by default.
>> fsutil is native I believe from xp on up.
>>
>> -rich
