Hi Dan, Thanks for the feedback. I cannot figure out how to get the decoder to work.
However are you sure that the actual log is being decoded as: 'ossec: output: 'mem-usage': 79,whatever%' I tried modifying the rule as follows: <rule id="100074" level="7" ignore="7200"> <if_sid>530</if_sid> <match>ossec: output: 'mem-usage':7</match> <description>High Memory Usage</description> </rule> According to ossec-logtest the rule should be triggered, and yet it isn't. On 27 December 2013 14:57, dan (ddp) <[email protected]> wrote: > On Fri, Dec 27, 2013 at 8:41 AM, Robert Micallef <[email protected]> > wrote: > > Hi Dan, > > > > From archives.log: > > > > 2013 Dec 27 11:31:01 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: > > 'mem-usage': > > 70.85% > > > > From alerts.log I see nothing at those timestamps. > > > > Am I looking at the correct logs? > > > > Yes, archives.log gives you a sample of the log message you are trying > to match against. > From reading the documentation or looking at the mailing list > archives, you can see that there is a header on this log message. So > the log we want to test against is: > ossec: output: 'mem-usage':70.85% > > I don't have ossec available at the moment to copy/paste the whole > ossec-logtest output for you, but it's easy enough for you to recreate > on your own. The important part I want to look at first is what is > predecoded as the "log" field. This is what <match> and <regex> > entries will be looking at: > > log: 'ossec: output: 'mem-usage': 79,whatever%' > > From that one line we can tell that your regex is not correct, the > first character is not a number. > > You can either adjust your rule to account for this, or create a > decoder to put the % in a field and check against it in your rule. I > personally think the decoder option would be easier, but I've written > a few in the past. > > > Thanks. > > > > > > > > On 27 December 2013 11:13, dan (ddp) <[email protected]> wrote: > >> > >> > >> On Dec 27, 2013 5:11 AM, "Robert Micallef" <[email protected]> > wrote: > >> > > >> > Thanks a lot Dan. That worked like a charm. It didn't cross my mind to > >> > grep only the PID. > >> > > >> > I used the <check_diff /> option and: > >> > ps -ef | grep process-name | awk '{ print $2 }' > >> > > >> > It is working well now. Can you also please tell me what I did wrong > >> > with this rule? > >> > > >> > I created a script to output the Memory Usage. The output will be the > >> > percentage used. Ex: 67.5%. I want an alert when it is over 80%. > >> > > >> > I have OSSEC running the script with the following: > >> > > >> > <localfile> > >> > <log_format>full_command</log_format> > >> > <command>sh /var/ossec/scripts/memusage.sh</command> > >> > <alias>mem-usage</alias> > >> > </localfile> > >> > > >> > On the server I created the following rule: > >> > > >> > <rule id="100074" level="7" ignore="7200"> > >> > <if_sid>530</if_sid> > >> > <match>ossec: output: 'mem-usage':</match> > >> > <regex>^8|^9|^10</regex> > >> > <description>High Memory Usage</description> > >> > </rule> > >> > > >> > To test that this is working I then created this rule: > >> > > >> > <rule id="100075" level="7" ignore="7200"> > >> > <if_sid>530</if_sid> > >> > <match>ossec: output: 'mem-usage':</match> > >> > <regex>^1|^2|^3|^4|^5|^6|^7</regex> > >> > <description>Test Memory Usage</description> > >> > </rule> > >> > > >> > I left it running for a few days and I see no alerts. Any idea how to > >> > fix this please? > >> > > >> > >> Turn on the log all option on the server and provide us with a sample > log > >> message. > >> > >> > Thanks. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an email to [email protected]. > >> > >> > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> [email protected]. > >> > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
