Hi Dan, Ok fixed finally.
I modified the rule to have ossec as decoder not ossec-mem. <group name="memory-usage"> <rule id="100080" level="0"> <decoded_as>ossec</decoded_as> <description>Custom Mem Usage Alerts</description> </rule> <rule id="100081" level="7"> <if_group>memory-usage</if_group> <extra_data>^7|^8|^9|^100</extra_data> <description>Test_Mem_Usage</description> </rule> This way the alerts are triggered if over 80%. They are being triggered in ossec-logtest but I can't see them in alerts.log or the WebUI. I modified the scripts on the agents to return only a single number and then modified the local_decoder which now looks like this: <decoder name="ossec-mem"> <parent>ossec</parent> <prematch offset="after_parent">'mem-usage': </prematch> <regex offset="after_prematch>^(\d+)%</regex> <order>extra_data</order> </decoder> In the archives.log I see the following output: 2013 Dec 30 15:26:28 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: 'mem-usage': 71% In ossec-logtest I see the following output: **Phase 1: Completed pre-decoding. full event: 'ossec: output: 'mem-usage': 71%' hostname: 'm-p-log1' program_name: '(null)' log: 'ossec: output: 'mem-usage': 71%' **Phase 2: Completed decoding. decoder: 'ossec' extra_data: '71' **Phase 3: Completed filtering (rules). Rule id: '100081' Level: '7' Description: 'Test_Mem_Usage' **Alert to be generated. I don't get it. The alert should be triggered. Any ideas? Thanks. On 30 December 2013 14:50, dan (ddp) <[email protected]> wrote: > On Mon, Dec 30, 2013 at 8:13 AM, Robert Micallef <[email protected]> > wrote: > > Hi Dan, > > > > Thanks for your help so far. I have tried searching before asking again > and > > as far as I can see this should work. > > > > The decoder works. I used ossec-logtest and up to phase 2, the > percentage is > > taken in extra_data > > > > <decoder name="ossec-mem"> > > <parent>ossec</parent> > > <prematch offset="after_parent">'mem-usage': </prematch> > > <regex offset="after_prematch>^(\d+.\d+)%</regex> > > <order>extra_data</order> > > </decoder> > > > > However I cannot get the rule to trigger. Below is the rule I defined. I > > used /d to test. > > > > <group name="memory-usage"> > > <rule id="100080" level="0"> > > <decoded_as>ossec-mem</decoded_as> > > <description>Custom Mem Usage Alerts</description> > > </rule> > > > > <rule id="100081" level="7"> > > <if_group>memory-usage</if_group> > > <extra_data>\d</extra_data> > > I believe extra_data should be a number (and I don't think the field > is regex capable). > > > <description>Test_Mem_Usage</description> > > </rule> > > > > I also tried this instead of the one above: > > > > <rule id="100081" level="7"> > > <if_sid>100080</if_sid> > > <extra_data>\d</extra_data> > > <description>Test_Mem_Usage</description> > > </rule> > > > > I can't figure out why it's not working. > > > > Thanks again. > > > > > > On 27 December 2013 16:13, dan (ddp) <[email protected]> wrote: > >> > >> On Fri, Dec 27, 2013 at 10:00 AM, Robert Micallef <[email protected] > > > >> wrote: > >> > Hi Dan, > >> > > >> > Thanks for the feedback. I cannot figure out how to get the decoder to > >> > work. > >> > > >> > >> <decoder name="ossec-mem"> > >> <parent>ossec</parent> > >> <prematch offset="after_parent">'mem-usage': </prematch> > >> <regex offset="after_prematch>^(\d+.\d+)%</regex> > >> <order>extra_data</order> > >> </decoder> > >> > >> With that you should be able to include somethinglike: > >> <extra_data>^7</extra_data> > >> in your rule (untested though, so test first). > >> > >> > However are you sure that the actual log is being decoded as: 'ossec: > >> > output: 'mem-usage': 79,whatever%' > >> > > >> > >> Yes, I'm sure. You can verify for yourself. > >> > >> > I tried modifying the rule as follows: > >> > > >> > > >> > <rule id="100074" level="7" ignore="7200"> > >> > <if_sid>530</if_sid> > >> > <match>ossec: output: 'mem-usage':7</match> > >> > > >> > >> Double check your spacing. > >> > >> > <description>High Memory Usage</description> > >> > </rule> > >> > > >> > According to ossec-logtest the rule should be triggered, and yet it > >> > isn't. > >> > > >> > >> Did you restart the ossec processes on the server after changing your > >> rule? > >> > >> > > >> > On 27 December 2013 14:57, dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Fri, Dec 27, 2013 at 8:41 AM, Robert Micallef < > [email protected]> > >> >> wrote: > >> >> > Hi Dan, > >> >> > > >> >> > From archives.log: > >> >> > > >> >> > 2013 Dec 27 11:31:01 (m-s-comm1) 10.152.1.227->mem-usage ossec: > >> >> > output: > >> >> > 'mem-usage': > >> >> > 70.85% > >> >> > > >> >> > From alerts.log I see nothing at those timestamps. > >> >> > > >> >> > Am I looking at the correct logs? > >> >> > > >> >> > >> >> Yes, archives.log gives you a sample of the log message you are > trying > >> >> to match against. > >> >> From reading the documentation or looking at the mailing list > >> >> archives, you can see that there is a header on this log message. So > >> >> the log we want to test against is: > >> >> ossec: output: 'mem-usage':70.85% > >> >> > >> >> I don't have ossec available at the moment to copy/paste the whole > >> >> ossec-logtest output for you, but it's easy enough for you to > recreate > >> >> on your own. The important part I want to look at first is what is > >> >> predecoded as the "log" field. This is what <match> and <regex> > >> >> entries will be looking at: > >> >> > >> >> log: 'ossec: output: 'mem-usage': 79,whatever%' > >> >> > >> >> From that one line we can tell that your regex is not correct, the > >> >> first character is not a number. > >> >> > >> >> You can either adjust your rule to account for this, or create a > >> >> decoder to put the % in a field and check against it in your rule. I > >> >> personally think the decoder option would be easier, but I've written > >> >> a few in the past. > >> >> > >> >> > Thanks. > >> >> > > >> >> > > >> >> > > >> >> > On 27 December 2013 11:13, dan (ddp) <[email protected]> wrote: > >> >> >> > >> >> >> > >> >> >> On Dec 27, 2013 5:11 AM, "Robert Micallef" <[email protected]> > >> >> >> wrote: > >> >> >> > > >> >> >> > Thanks a lot Dan. That worked like a charm. It didn't cross my > >> >> >> > mind > >> >> >> > to > >> >> >> > grep only the PID. > >> >> >> > > >> >> >> > I used the <check_diff /> option and: > >> >> >> > ps -ef | grep process-name | awk '{ print $2 }' > >> >> >> > > >> >> >> > It is working well now. Can you also please tell me what I did > >> >> >> > wrong > >> >> >> > with this rule? > >> >> >> > > >> >> >> > I created a script to output the Memory Usage. The output will > be > >> >> >> > the > >> >> >> > percentage used. Ex: 67.5%. I want an alert when it is over 80%. > >> >> >> > > >> >> >> > I have OSSEC running the script with the following: > >> >> >> > > >> >> >> > <localfile> > >> >> >> > <log_format>full_command</log_format> > >> >> >> > <command>sh /var/ossec/scripts/memusage.sh</command> > >> >> >> > <alias>mem-usage</alias> > >> >> >> > </localfile> > >> >> >> > > >> >> >> > On the server I created the following rule: > >> >> >> > > >> >> >> > <rule id="100074" level="7" ignore="7200"> > >> >> >> > <if_sid>530</if_sid> > >> >> >> > <match>ossec: output: 'mem-usage':</match> > >> >> >> > <regex>^8|^9|^10</regex> > >> >> >> > <description>High Memory Usage</description> > >> >> >> > </rule> > >> >> >> > > >> >> >> > To test that this is working I then created this rule: > >> >> >> > > >> >> >> > <rule id="100075" level="7" ignore="7200"> > >> >> >> > <if_sid>530</if_sid> > >> >> >> > <match>ossec: output: 'mem-usage':</match> > >> >> >> > <regex>^1|^2|^3|^4|^5|^6|^7</regex> > >> >> >> > <description>Test Memory Usage</description> > >> >> >> > </rule> > >> >> >> > > >> >> >> > I left it running for a few days and I see no alerts. Any idea > how > >> >> >> > to > >> >> >> > fix this please? > >> >> >> > > >> >> >> > >> >> >> Turn on the log all option on the server and provide us with a > >> >> >> sample > >> >> >> log > >> >> >> message. > >> >> >> > >> >> >> > Thanks. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an email to [email protected]. > >> >> >> > >> >> >> > >> >> >> > For more options, visit > https://groups.google.com/groups/opt_out. > >> >> >> > >> >> >> -- > >> >> >> > >> >> >> --- > >> >> >> You received this message because you are subscribed to a topic in > >> >> >> the > >> >> >> Google Groups "ossec-list" group. > >> >> >> To unsubscribe from this topic, visit > >> >> >> > >> >> >> > https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > >> >> >> To unsubscribe from this group and all its topics, send an email > to > >> >> >> [email protected]. > >> >> >> > >> >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to a topic in > the > >> >> Google Groups "ossec-list" group. > >> >> To unsubscribe from this topic, visit > >> >> https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe > . > >> >> To unsubscribe from this group and all its topics, send an email to > >> >> [email protected]. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/QeNptAfzGQQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
