To take it a step further, setup the alert (this may or may not work -
haven't tested it... you may have to tweak some things):
<rule id="300000" level="15">
<if_sid>530</if_sid>
<match>ossec: output: '/sbin/ethtool eth0 | grep Link':</match>
<regex>Link detected: no</regex>
<description>Eth link down</description>
</rule>
On Wed, Sep 7, 2011 at 11:42 AM, Jeremy Lee <[email protected]> wrote:
> And just make sure you use the full path of the command, to be safe. So if
> it's ethtool - /sbin/ethtool or /usr/sbin/ethtool or whatever
>
> It should look something like this:
>
> <localfile>
> <log_format>full_command</log_format>
> <command>/sbin/ethtool eth0 | grep Link</command>
> </localfile>
>
>
>
>
>
>
> On Wed, Sep 7, 2011 at 11:40 AM, Jeremy Lee <[email protected]> wrote:
>
>> You wouldn't actually use "sudo" when specifying in the full_command
>> directive. OSSEC will run as root, so all you have to do is put the command
>> itself in and it will work.
>>
>>
>> On Wed, Sep 7, 2011 at 11:34 AM, Eero Volotinen <[email protected]>wrote:
>>
>>> 2011/9/7 Jeremy Lee <[email protected]>:
>>> > Your intention, though, is to essentially alert you when the link
>>> status
>>> > changes no? full_command works very well for this purpose. Otherwise,
>>> if you
>>> > can figure out how to do it with the log file, by all means...
>>>
>>> Yes, it's important to detect when links goes down, up or flaps up and
>>> down. anyway, using sudo to run command without password looks a bit
>>> insecure solution.
>>>
>>> --
>>> Eero
>>>
>>
>>
>
