Hello Dan,
My configuration is as follows:
Server:
Local_rules.xml
============
<group name="ossec,local,">
<rule id="100101" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'uptime': </match>
<regex>load average:</regex>
<description>Load average reached 0..</description>
</rule>
</group>
Ossec.conf
========
<global>
<email_notification>no</email_notification>
<logall>yes</logall>
</global>
(at the bottom)
<localfile>
<log_format>command</log_format>
<command>uptime</command>
</localfile>
Agent:
Ossec-agent.conf:
==============
<localfile>
<log_format>command</log_format>
<command>uptime</command>
</localfile>
I have turned on logall but still see no alert generated by the uptime command
on the agent (while I see the command being executed in the agent log). Other
alerts (like checkum changes) do get send from the agent to the server.
Regards,
Artien
Van: [email protected] [mailto:[email protected]] Namens
dan (ddp)
Verzonden: dinsdag 29 november 2011 10:19
Aan: [email protected]
Onderwerp: RE: [ossec-list] server-agent response on <command> and another
question
On Nov 29, 2011 4:11 AM, "Artien Bel" <[email protected]> wrote:
>
> Hello Dan/Doug,
>
> I added the rule to the ossec.conf of the agent and I see that the agent
> executes the command itself. However it doesn't generate an alert on the
> server. Is there something I need to do to tell the agent to transmit the
> results of the command to the server?
>
You'll have to show is what you did exactly. You don't put rules on agents or
in the ossec.conf.
If you added the localfile uptime command, you could turn on logall on the
manager to see the log message being generated by the agent.
> Thank you for your help,
>
> Artien
>
> -----Oorspronkelijk bericht-----
> Van: [email protected] [mailto:[email protected]] Namens
> dan (ddp)
> Verzonden: maandag 28 november 2011 21:24
> Aan: [email protected]
> Onderwerp: Re: [ossec-list] server-agent response on <command> and another
> question
>
> On Tue, Nov 22, 2011 at 2:03 PM, Artien Bel <[email protected]> wrote:
> > Hello Doug,
> >
> > Thank you, sometimes something obvious as a typo is all that's needed to
> > make it frustrating :) On the server it worked by adding:
> >
> > <group name="ossec,local,">
> > <rule id="100101" level="7" ignore="7200">
> > <if_sid>530</if_sid>
> > <match>ossec: output: 'uptime': </match>
> > <regex>load average:</regex>
> > <description>Load average reached 0..</description> </rule>
> >
> > </group>
> >
> > To the local_rules.xml
> >
> > Is there a way however to get this information from the agent(s) too, or is
> > this something that only works on the server/local install/by reading
> > remote syslog with a cronjob?
> >
> > Regards,
> >
> > Artien
>
> You can add commands to agents by editing their ossec.confs.
>
>
> There is also a way to add them to the agent.conf, but you have to modify
> internal_options.conf as well (for post 2.6, it'll work out of the box with
> pre-2.6, and won't work at all with 2.6).
>
> >
> > -----Oorspronkelijk bericht-----
> > Van: [email protected] [mailto:[email protected]]
> > Namens Doug Burks
> > Verzonden: dinsdag 22 november 2011 14:53
> > Aan: [email protected]
> > Onderwerp: Re: [ossec-list] server-agent response on <command> and
> > another question
> >
> > Hi Artien,
> >
> > The rule should be in local_rules.xml (and don't forget to restart OSSEC
> > after placing it there).
> >
> > Looks like the output of the command says "load average" (no 's'), but the
> > rule is trying to match "load averages" (with an 's').
> >
> > Please try changing the rule to match the command output (and don't forget
> > to restart OSSEC).
> >
> > I've got some other examples here which you may be interested in:
> > http://securityonion.blogspot.com/2011/11/how-do-i-receive-email-when-
> > my-sensor.html
> > http://securityonion.blogspot.com/2011/11/follow-up-on-ossec-alerts-fo
> > r-packet.html
> >
> > Hope that helps!
> >
> > Thanks,
> > --
> > Doug Burks, GSE, CISSP | http://securityonion.blogspot.com President,
> > Greater Augusta ISSA | http://augusta.issa.org
> >
> > On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel <[email protected]> wrote:
> >> Hello,
> >>
> >> As test to replace our application and server monitoring software, I am
> >> checking out OSSEC. I run at the moment a server/agent installation on 2
> >> VM's with CentOS 5.6 and this works rather well. I do run into some issues
> >> though I can't seem to resolve by trying mindlessly, reading the
> >> documentation and searching the mailing list.
> >>
> >> 1. I created a "uptime" command on the agent and the server, and I see in
> >> the log that it runs:
> >>
> >> ossec-logcollector: INFO: Monitoring output of command(360):
> >> uptime
> >>
> >> ossec-logcollector: DEBUG: Running command 'uptime'
> >> ossec-logcollector: DEBUG: Reading command message: 'ossec: output:
> >> 'uptime': 10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41'
> >>
> >> My issue is though, that I don't seem to be able to generate an alert from
> >> this. I added the rule:
> >>
> >> <rule id="100101" level="7" ignore="7200">
> >> <if_sid>530</if_sid>
> >> <match>ossec: output: "uptime": </match>
> >> <regex>load averages:</regex>
> >> <description>Load average reached 0..</description> </rule>
> >>
> >> I tried to add it to both local_rules.xml and ossec_rules.xml (under the
> >> df -h rule) but in both cases it did not generate an alert, nor for the
> >> agent, nor for the server.
> >>
> >> Can anyone tell me what I'm doing wrong?
> >>
> >> My other question is: can OSSEC do rate detection on its own or will I
> >> need like syslog for that? I want to be able to alert only when event x is
> >> triggered more than y times in z interval.
> >>
> >> Regards,
> >>
> >> Artien
> >>
> >>
> >
