Since I have nothing to contribute as of yet on the OSSEC front. Here is a
snipet that will log OSSEC Service not running to the Windows Application
event log, where other processed can alert you that OSSEC is not running on
a host as you will not receive alerts while the agent is down. I would run
this as a scheduled task and have it send an email that looks like the
other OSSEC emails so that all other filtering is maintained.
# Register the OssecSvc as an event source that Powershell can reference
for alerts:
# Note: These only need to be run one time per server:
# (Information)
#eventcreate /ID 411 /L APPLICATION /T INFORMATION /SO OssecSvc /D "OSSEC
Information"
# (Warning)
#eventcreate /ID 911 /L APPLICATION /T WARNING /SO OssecSvc /D "OSSEC
Warning"
# (Error)
#eventcreate /ID 666 /L APPLICATION /T ERROR /SO OssecSvc /D "OSSEC Error"
#If you already have Windows Event Logs configured for email alert
notification this is all you need to add to that process
$X = 1
while ($X=1)
{
$SvcStat = Get-Service OssecSvc
If ($SvcStat.status -eq "Running")
{
#Un-comment the next line for testing, Comment for running in production as
a scheduled task.
#Write-Host "Not Doing anything"
Sleep 600
}
Else
{Write-EventLog -logname Application -Source OssecSvc -EventID 911 -message
"Ossec Server Stopped"
#Un-comment the next line for testing, Comment for running in production as
a scheduled task.
#Write-Host "Sleeping for 5 min"
Sleep 600}
}
On Monday, July 8, 2013 12:34:29 PM UTC-4, Jared wrote:
> I receive the following alerts as expected as a result of the inline
> command:
>
>
> [root@ip-1-1-1-1 ~]# /var/ossec/bin/ossec-control stop
>
> Killing ossec-monitord ..
>
>
> Killing ossec-logcollector ..
>
>
> Killing ossec-remoted ..
>
> Killing ossec-syscheckd ..
>
> Killing ossec-analysisd ..
>
> Killing ossec-maild ..
>
> ossec-execd not running ..
>
> OSSEC HIDS v2.7 Stopped
>
> [root@ip-1-1-1-1 ~]# /var/ossec/bin/ossec-control start
>
> Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
>
> Started ossec-maild...
>
> Started ossec-execd...
>
> Started ossec-analysisd...
>
> Started ossec-logcollector...
>
> Started ossec-remoted...
>
> Started ossec-syscheckd...
>
> Started ossec-monitord...
>
> Completed.
>
> [root@ip-1-1-1-1 ~]# /var/ossec/bin/agent_control -l
>
> Resulting Email:
>
>
>
> OSSEC HIDS Notification.
> 2013 Jul 08 16:16:11
> Received From: ip-1-1-1-1->ossec-monitord
> Rule: 502 fired (level 3) -> "Ossec server started."
> Portion of the log(s):
> ossec: Ossec started.
>
>
>
> Aside from having Windows generating an alert on looping test of "is
> OSSEC-SVC running, yes=sleep, else - send email". Is it possible to get an
> email alert from OSSEC as it is shut down via the command line?
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
