On Nov 29, 2011 4:11 AM, "Artien Bel" <[email protected]> wrote: > > Hello Dan/Doug, > > I added the rule to the ossec.conf of the agent and I see that the agent executes the command itself. However it doesn't generate an alert on the server. Is there something I need to do to tell the agent to transmit the results of the command to the server? >
You'll have to show is what you did exactly. You don't put rules on agents or in the ossec.conf. If you added the localfile uptime command, you could turn on logall on the manager to see the log message being generated by the agent. > Thank you for your help, > > Artien > > -----Oorspronkelijk bericht----- > Van: [email protected] [mailto:[email protected]] Namens dan (ddp) > Verzonden: maandag 28 november 2011 21:24 > Aan: [email protected] > Onderwerp: Re: [ossec-list] server-agent response on <command> and another question > > On Tue, Nov 22, 2011 at 2:03 PM, Artien Bel <[email protected]> wrote: > > Hello Doug, > > > > Thank you, sometimes something obvious as a typo is all that's needed to make it frustrating :) On the server it worked by adding: > > > > <group name="ossec,local,"> > > <rule id="100101" level="7" ignore="7200"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'uptime': </match> > > <regex>load average:</regex> > > <description>Load average reached 0..</description> </rule> > > > > </group> > > > > To the local_rules.xml > > > > Is there a way however to get this information from the agent(s) too, or is this something that only works on the server/local install/by reading remote syslog with a cronjob? > > > > Regards, > > > > Artien > > You can add commands to agents by editing their ossec.confs. > > > There is also a way to add them to the agent.conf, but you have to modify internal_options.conf as well (for post 2.6, it'll work out of the box with pre-2.6, and won't work at all with 2.6). > > > > > -----Oorspronkelijk bericht----- > > Van: [email protected] [mailto:[email protected]] > > Namens Doug Burks > > Verzonden: dinsdag 22 november 2011 14:53 > > Aan: [email protected] > > Onderwerp: Re: [ossec-list] server-agent response on <command> and > > another question > > > > Hi Artien, > > > > The rule should be in local_rules.xml (and don't forget to restart OSSEC after placing it there). > > > > Looks like the output of the command says "load average" (no 's'), but the rule is trying to match "load averages" (with an 's'). > > > > Please try changing the rule to match the command output (and don't forget to restart OSSEC). > > > > I've got some other examples here which you may be interested in: > > http://securityonion.blogspot.com/2011/11/how-do-i-receive-email-when- > > my-sensor.html > > http://securityonion.blogspot.com/2011/11/follow-up-on-ossec-alerts-fo > > r-packet.html > > > > Hope that helps! > > > > Thanks, > > -- > > Doug Burks, GSE, CISSP | http://securityonion.blogspot.com President, > > Greater Augusta ISSA | http://augusta.issa.org > > > > On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel <[email protected]> wrote: > >> Hello, > >> > >> As test to replace our application and server monitoring software, I am checking out OSSEC. I run at the moment a server/agent installation on 2 VM's with CentOS 5.6 and this works rather well. I do run into some issues though I can't seem to resolve by trying mindlessly, reading the documentation and searching the mailing list. > >> > >> 1. I created a "uptime" command on the agent and the server, and I see in the log that it runs: > >> > >> ossec-logcollector: INFO: Monitoring output of command(360): > >> uptime > >> > >> ossec-logcollector: DEBUG: Running command 'uptime' > >> ossec-logcollector: DEBUG: Reading command message: 'ossec: output: 'uptime': 10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41' > >> > >> My issue is though, that I don't seem to be able to generate an alert from this. I added the rule: > >> > >> <rule id="100101" level="7" ignore="7200"> > >> <if_sid>530</if_sid> > >> <match>ossec: output: "uptime": </match> > >> <regex>load averages:</regex> > >> <description>Load average reached 0..</description> </rule> > >> > >> I tried to add it to both local_rules.xml and ossec_rules.xml (under the df -h rule) but in both cases it did not generate an alert, nor for the agent, nor for the server. > >> > >> Can anyone tell me what I'm doing wrong? > >> > >> My other question is: can OSSEC do rate detection on its own or will I need like syslog for that? I want to be able to alert only when event x is triggered more than y times in z interval. > >> > >> Regards, > >> > >> Artien > >> > >> > >
