Thanks a lot Dan. That worked like a charm. It didn't cross my mind to grep
only the PID.
I used the <check_diff /> option and:
ps -ef | grep process-name | awk '{ print $2 }'
It is working well now. Can you also please tell me what I did wrong with
this rule?
I created a script to output the Memory Usage. The output will be the
percentage used. Ex: 67.5%. I want an alert when it is over 80%.
I have OSSEC running the script with the following:
<localfile>
<log_format>full_command</log_format>
<command>sh /var/ossec/scripts/memusage.sh</command>
<alias>mem-usage</alias>
</localfile>
On the server I created the following rule:
<rule id="100074" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'mem-usage':</match>
<regex>^8|^9|^10</regex>
<description>High Memory Usage</description>
</rule>
To test that this is working I then created this rule:
<rule id="100075" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'mem-usage':</match>
<regex>^1|^2|^3|^4|^5|^6|^7</regex>
<description>Test Memory Usage</description>
</rule>
I left it running for a few days and I see no alerts. Any idea how to fix
this please?
Thanks.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
