On Thu, Dec 20, 2012 at 9:29 AM, Sergey Fursov <[email protected]> wrote: > Here is it. Tags <options>alert_by_email</options> are inserted by me > because we need all database activity events. >
Unless you made significant changes to the postgresql_rules.xml file, I don't need your copy. What I do need, and what I asked for, is log samples. With those log samples I can find out why you aren't getting alerts. Without those log samples I will not be able to track this down for you. > <!-- PostgreSQL Log messages --> > <group name="postgresql_log,"> > <rule id="50500" level="0"> > <options>alert_by_email</options> > <decoded_as>postgresql_log</decoded_as> > <description>PostgreSQL messages grouped.</description> > </rule> > > <rule id="50501" level="0"> > <if_sid>50500</if_sid> > <status>^LOG</status> > <options>alert_by_email</options> > <description>PostgreSQL log message.</description> > </rule> > > <rule id="50502" level="0"> > <if_sid>50500</if_sid> > <options>alert_by_email</options> > <status>^NOTICE|INFO</status> > <description>PostgreSQL informational message.</description> > </rule> > > <rule id="50503" level="4"> > <if_sid>50500</if_sid> > <options>alert_by_email</options> > <status>^ERROR</status> > <description>PostgreSQL error message.</description> > </rule> > > <rule id="50504" level="5"> > <if_sid>50500</if_sid> > <options>alert_by_email</options> > <status>^FATAL</status> > <description>PostgreSQL error message.</description> > </rule> > > <rule id="50505" level="0"> > <if_sid>50500</if_sid> > <options>alert_by_email</options> > <status>^DEBUG</status> > <description>PostgreSQL debug message.</description> > </rule> > > <rule id="50510" level="0"> > <if_sid>50501</if_sid> > <options>alert_by_email</options> > <match> duration: | statement: </match> > <description>Database query.</description> > </rule> > > <rule id="50511" level="3"> > <if_sid>50501</if_sid> > <options>alert_by_email</options> > <match>connection authorized</match> > <description>Database authentication success.</description> > <group>authentication_success,</group> > </rule> > > <rule id="50512" level="9"> > <if_sid>50504</if_sid> > <options>alert_by_email</options> > <match>authentication failed</match> > <description>Database authentication failure.</description> > <group>authentication_failed,</group> > </rule> > > <rule id="50520" level="12"> > <if_sid>50504</if_sid> > <options>alert_by_email</options> > <match>terminating connection due</match> > <description>Database shutdown messge.</description> > <group>service_availability,</group> > </rule> > > <rule id="50521" level="12"> > <if_sid>50501</if_sid> > <options>alert_by_email</options> > <match>aborting any active transactions|shutting down</match> > <description>Database shutdown messge.</description> > <group>service_availability,</group> > </rule> > > <rule id="50580" level="10" frequency="6" timeframe="120" ignore="60"> > <if_matched_sid>50504</if_matched_sid> > <description>Multiple database errors.</description> > <group>service_availability,</group> > </rule> > > <rule id="50581" level="10" frequency="6" timeframe="120" ignore="60"> > <if_matched_sid>50503</if_matched_sid> > <description>Multiple database errors.</description> > <group>service_availability,</group> > </rule> > > </group> <!-- POSTGRESQL --> > > <!-- EOF --> > > четверг, 20 декабря 2012 г., 16:41:47 UTC+4 пользователь Sergey Fursov > написал: >> >> Hello. I perform installation of OSSEC server (1) and OSSEC agent (2) with >> default configuration, and check that OSSEC agent is working fine (for >> example, I get email alert when OSSEC restarts or somebody take logon on >> (2)) >> After this I install Postgresql on (2) and add his log to >> /var/ossec/etc/ossec.conf on (2): >> >> <localfile> >> <log_format>postgresql_log</log_format> >> <location>/var/log/postgresql/postgresql-9.2-main.log</location> >> </localfile> >> >> But I didn't see any errors from OSSEC server (1), while I take some >> errors test (like MSK ERROR: column orders.is_canceled does not exist at >> char >> acter 164 >> or >> MSK FATAL: the database system is starting up >> or >> MSK FATAL: password authentication failed for user "redmine" >> >> >> Could you help in correct installation of this monitoring? Thanks a lot! >> >
