On Mon, Dec 30, 2013 at 3:29 PM, Robert Micallef <[email protected]> wrote: > Yes but all from log monitoring. But I checked just now, and it has been > running for some time now and I still can't see an alert. One thing I > noticed is that without the custom decoder and having the rule set to match > the output and alert when it sees any number by using the regex "/d" alerts > are generated (although not for over 80% as I need it) which could mean that > the regex is not matching the actual log. As I posted earlier, in > archives.log I find the following log: > > 2013 Dec 30 15:26:28 (m-s-comm1) 10.152.1.227->mem-usage ossec: output: > 'mem-usage': > 71% > > The percentage is always in a line beneath the log. I don't know if that > makes a difference. > > In ossec-logtest I input the following as a single line to test: > ossec: output: 'mem-usage': 71% >
Yeah, that might make a difference. ossec-logtest doesn't really work with multi-line logs, so it probably isn't matching. I'm not entirely sure how to account for that log silliness off hand, I'd have to play around with it. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
