Hi Artien, The rule should be in local_rules.xml (and don't forget to restart OSSEC after placing it there).
Looks like the output of the command says "load average" (no 's'), but the rule is trying to match "load averages" (with an 's'). Please try changing the rule to match the command output (and don't forget to restart OSSEC). I've got some other examples here which you may be interested in: http://securityonion.blogspot.com/2011/11/how-do-i-receive-email-when-my-sensor.html http://securityonion.blogspot.com/2011/11/follow-up-on-ossec-alerts-for-packet.html Hope that helps! Thanks, -- Doug Burks, GSE, CISSP | http://securityonion.blogspot.com President, Greater Augusta ISSA | http://augusta.issa.org On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel <[email protected]> wrote: > Hello, > > As test to replace our application and server monitoring software, I am > checking out OSSEC. I run at the moment a server/agent installation on 2 VM's > with CentOS 5.6 and this works rather well. I do run into some issues though > I can't seem to resolve by trying mindlessly, reading the documentation and > searching the mailing list. > > 1. I created a "uptime" command on the agent and the server, and I see in the > log that it runs: > > ossec-logcollector: INFO: Monitoring output of command(360): > uptime > > ossec-logcollector: DEBUG: Running command 'uptime' > ossec-logcollector: DEBUG: Reading command message: 'ossec: output: 'uptime': > 10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41' > > My issue is though, that I don't seem to be able to generate an alert from > this. I added the rule: > > <rule id="100101" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: "uptime": </match> > <regex>load averages:</regex> > <description>Load average reached 0..</description> > </rule> > > I tried to add it to both local_rules.xml and ossec_rules.xml (under the df > -h rule) but in both cases it did not generate an alert, nor for the agent, > nor for the server. > > Can anyone tell me what I'm doing wrong? > > My other question is: can OSSEC do rate detection on its own or will I need > like syslog for that? I want to be able to alert only when event x is > triggered more than y times in z interval. > > Regards, > > Artien > >
