Hi all, Ossec online documents offers three examples for the Process Monitoring feature.
So far I did see output of a command change example working on my environment (rule_id=533). I am really interested in load average (uptime) Example and want to get it working and understand the underlying logic. But I didn't find out any successful story online but only the failure situation similar as my case ( http://osdir.com/ml/ossec-list/2009-12/msg00153.html). I set up my system as follows by following the online instruction: 1, make sure to include the following setting in the file /var/ossec/etc/ossec.conf which means we want to monitor the load average * <localfile> <log_format>command</log_format> <command>uptime</command> </localfile>*2, add the following setting in the rule file /var/ossec/rules/local_rules.xml *<group name="ossec,"> <rule id="100101" level="7" ignore="7200"> <if_sid>530</if_sid> <match>ossec: output: 'uptime': </match> <regex>load averages: 1.</regex> <options>alert_by_email</options> <description>Load average reached 1..</description> </rule></group> * Comments: #1: For debug convenience, I decrease the threshold value from 2 to 1. #2: I guess we also need a group name for the rule so that I pick up "ossec" here. My understanding is that Ossec would execute uptime every several minutes by default and send out an alert once the load is high than the setting (1 in my test case) but I didn't see any alert. *What is the underlying logic for this rule?* The document says "alert when it is higher than 2 (for *<regex>load averages: 2.</regex>* case)" therefore I guess there is a hidden comparison logic here. *Is it a integer comparison or float comparison? Can we change value 2 to 0.5? Does the ending point character matter in the expression (**<regex>load averages: 1.</regex>**)?* Could you please share your experience if you have this feature working in your system? Thanks a lot. Best Regards, Yongzhi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
