Hello,
As test to replace our application and server monitoring software, I am
checking out OSSEC. I run at the moment a server/agent installation on 2 VM's
with CentOS 5.6 and this works rather well. I do run into some issues though I
can't seem to resolve by trying mindlessly, reading the documentation and
searching the mailing list.
1. I created a "uptime" command on the agent and the server, and I see in the
log that it runs:
ossec-logcollector: INFO: Monitoring output of command(360):
uptime
ossec-logcollector: DEBUG: Running command 'uptime'
ossec-logcollector: DEBUG: Reading command message: 'ossec: output: 'uptime':
10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41'
My issue is though, that I don't seem to be able to generate an alert from
this. I added the rule:
<rule id="100101" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: "uptime": </match>
<regex>load averages:</regex>
<description>Load average reached 0..</description>
</rule>
I tried to add it to both local_rules.xml and ossec_rules.xml (under the df -h
rule) but in both cases it did not generate an alert, nor for the agent, nor
for the server.
Can anyone tell me what I'm doing wrong?
My other question is: can OSSEC do rate detection on its own or will I need
like syslog for that? I want to be able to alert only when event x is triggered
more than y times in z interval.
Regards,
Artien
