On Fri, Dec 27, 2013 at 10:00 AM, Robert Micallef <[email protected]> wrote: > Hi Dan, > > Thanks for the feedback. I cannot figure out how to get the decoder to work. >
<decoder name="ossec-mem"> <parent>ossec</parent> <prematch offset="after_parent">'mem-usage': </prematch> <regex offset="after_prematch>^(\d+.\d+)%</regex> <order>extra_data</order> </decoder> With that you should be able to include somethinglike: <extra_data>^7</extra_data> in your rule (untested though, so test first). > However are you sure that the actual log is being decoded as: 'ossec: > output: 'mem-usage': 79,whatever%' > Yes, I'm sure. You can verify for yourself. > I tried modifying the rule as follows: > > > <rule id="100074" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'mem-usage':7</match> > Double check your spacing. > <description>High Memory Usage</description> > </rule> > > According to ossec-logtest the rule should be triggered, and yet it isn't. > Did you restart the ossec processes on the server after changing your rule? > > On 27 December 2013 14:57, dan (ddp) <[email protected]> wrote: >> >> On Fri, Dec 27, 2013 at 8:41 AM, Robert Micallef <[email protected]> >> wrote: >> > Hi Dan, >> > >> > From archives.log: >> > >> > 2013 Dec 27 11:31:01 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: >> > 'mem-usage': >> > 70.85% >> > >> > From alerts.log I see nothing at those timestamps. >> > >> > Am I looking at the correct logs? >> > >> >> Yes, archives.log gives you a sample of the log message you are trying >> to match against. >> From reading the documentation or looking at the mailing list >> archives, you can see that there is a header on this log message. So >> the log we want to test against is: >> ossec: output: 'mem-usage':70.85% >> >> I don't have ossec available at the moment to copy/paste the whole >> ossec-logtest output for you, but it's easy enough for you to recreate >> on your own. The important part I want to look at first is what is >> predecoded as the "log" field. This is what <match> and <regex> >> entries will be looking at: >> >> log: 'ossec: output: 'mem-usage': 79,whatever%' >> >> From that one line we can tell that your regex is not correct, the >> first character is not a number. >> >> You can either adjust your rule to account for this, or create a >> decoder to put the % in a field and check against it in your rule. I >> personally think the decoder option would be easier, but I've written >> a few in the past. >> >> > Thanks. >> > >> > >> > >> > On 27 December 2013 11:13, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Dec 27, 2013 5:11 AM, "Robert Micallef" <[email protected]> >> >> wrote: >> >> > >> >> > Thanks a lot Dan. That worked like a charm. It didn't cross my mind >> >> > to >> >> > grep only the PID. >> >> > >> >> > I used the <check_diff /> option and: >> >> > ps -ef | grep process-name | awk '{ print $2 }' >> >> > >> >> > It is working well now. Can you also please tell me what I did wrong >> >> > with this rule? >> >> > >> >> > I created a script to output the Memory Usage. The output will be the >> >> > percentage used. Ex: 67.5%. I want an alert when it is over 80%. >> >> > >> >> > I have OSSEC running the script with the following: >> >> > >> >> > <localfile> >> >> > <log_format>full_command</log_format> >> >> > <command>sh /var/ossec/scripts/memusage.sh</command> >> >> > <alias>mem-usage</alias> >> >> > </localfile> >> >> > >> >> > On the server I created the following rule: >> >> > >> >> > <rule id="100074" level="7" ignore="7200"> >> >> > <if_sid>530</if_sid> >> >> > <match>ossec: output: 'mem-usage':</match> >> >> > <regex>^8|^9|^10</regex> >> >> > <description>High Memory Usage</description> >> >> > </rule> >> >> > >> >> > To test that this is working I then created this rule: >> >> > >> >> > <rule id="100075" level="7" ignore="7200"> >> >> > <if_sid>530</if_sid> >> >> > <match>ossec: output: 'mem-usage':</match> >> >> > <regex>^1|^2|^3|^4|^5|^6|^7</regex> >> >> > <description>Test Memory Usage</description> >> >> > </rule> >> >> > >> >> > I left it running for a few days and I see no alerts. Any idea how to >> >> > fix this please? >> >> > >> >> >> >> Turn on the log all option on the server and provide us with a sample >> >> log >> >> message. >> >> >> >> > Thanks. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to [email protected]. >> >> >> >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
