On Tue, Nov 22, 2011 at 2:03 PM, Artien Bel <[email protected]> wrote: > Hello Doug, > > Thank you, sometimes something obvious as a typo is all that's needed to make > it frustrating :) On the server it worked by adding: > > <group name="ossec,local,"> > <rule id="100101" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'uptime': </match> > <regex>load average:</regex> > <description>Load average reached 0..</description> > </rule> > > </group> > > To the local_rules.xml > > Is there a way however to get this information from the agent(s) too, or is > this something that only works on the server/local install/by reading remote > syslog with a cronjob? > > Regards, > > Artien
You can add commands to agents by editing their ossec.confs. There is also a way to add them to the agent.conf, but you have to modify internal_options.conf as well (for post 2.6, it'll work out of the box with pre-2.6, and won't work at all with 2.6). > > -----Oorspronkelijk bericht----- > Van: [email protected] [mailto:[email protected]] Namens > Doug Burks > Verzonden: dinsdag 22 november 2011 14:53 > Aan: [email protected] > Onderwerp: Re: [ossec-list] server-agent response on <command> and another > question > > Hi Artien, > > The rule should be in local_rules.xml (and don't forget to restart OSSEC > after placing it there). > > Looks like the output of the command says "load average" (no 's'), but the > rule is trying to match "load averages" (with an 's'). > > Please try changing the rule to match the command output (and don't forget to > restart OSSEC). > > I've got some other examples here which you may be interested in: > http://securityonion.blogspot.com/2011/11/how-do-i-receive-email-when-my-sensor.html > http://securityonion.blogspot.com/2011/11/follow-up-on-ossec-alerts-for-packet.html > > Hope that helps! > > Thanks, > -- > Doug Burks, GSE, CISSP | http://securityonion.blogspot.com President, Greater > Augusta ISSA | http://augusta.issa.org > > On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel <[email protected]> wrote: >> Hello, >> >> As test to replace our application and server monitoring software, I am >> checking out OSSEC. I run at the moment a server/agent installation on 2 >> VM's with CentOS 5.6 and this works rather well. I do run into some issues >> though I can't seem to resolve by trying mindlessly, reading the >> documentation and searching the mailing list. >> >> 1. I created a "uptime" command on the agent and the server, and I see in >> the log that it runs: >> >> ossec-logcollector: INFO: Monitoring output of command(360): >> uptime >> >> ossec-logcollector: DEBUG: Running command 'uptime' >> ossec-logcollector: DEBUG: Reading command message: 'ossec: output: >> 'uptime': 10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41' >> >> My issue is though, that I don't seem to be able to generate an alert from >> this. I added the rule: >> >> <rule id="100101" level="7" ignore="7200"> >> <if_sid>530</if_sid> >> <match>ossec: output: "uptime": </match> >> <regex>load averages:</regex> >> <description>Load average reached 0..</description> </rule> >> >> I tried to add it to both local_rules.xml and ossec_rules.xml (under the df >> -h rule) but in both cases it did not generate an alert, nor for the agent, >> nor for the server. >> >> Can anyone tell me what I'm doing wrong? >> >> My other question is: can OSSEC do rate detection on its own or will I need >> like syslog for that? I want to be able to alert only when event x is >> triggered more than y times in z interval. >> >> Regards, >> >> Artien >> >> >
