Hi Dan, >From archives.log:
2013 Dec 27 11:31:01 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: 'mem-usage': 70.85% >From alerts.log I see nothing at those timestamps. Am I looking at the correct logs? Thanks. On 27 December 2013 11:13, dan (ddp) <[email protected]> wrote: > > On Dec 27, 2013 5:11 AM, "Robert Micallef" <[email protected]> wrote: > > > > Thanks a lot Dan. That worked like a charm. It didn't cross my mind to > grep only the PID. > > > > I used the <check_diff /> option and: > > ps -ef | grep process-name | awk '{ print $2 }' > > > > It is working well now. Can you also please tell me what I did wrong > with this rule? > > > > I created a script to output the Memory Usage. The output will be the > percentage used. Ex: 67.5%. I want an alert when it is over 80%. > > > > I have OSSEC running the script with the following: > > > > <localfile> > > <log_format>full_command</log_format> > > <command>sh /var/ossec/scripts/memusage.sh</command> > > <alias>mem-usage</alias> > > </localfile> > > > > On the server I created the following rule: > > > > <rule id="100074" level="7" ignore="7200"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'mem-usage':</match> > > <regex>^8|^9|^10</regex> > > <description>High Memory Usage</description> > > </rule> > > > > To test that this is working I then created this rule: > > > > <rule id="100075" level="7" ignore="7200"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'mem-usage':</match> > > <regex>^1|^2|^3|^4|^5|^6|^7</regex> > > <description>Test Memory Usage</description> > > </rule> > > > > I left it running for a few days and I see no alerts. Any idea how to > fix this please? > > > > Turn on the log all option on the server and provide us with a sample log > message. > > > Thanks. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
