On Thu, Nov 6, 2014 at 1:16 PM, <[email protected]> wrote: > Hi all, > > Ossec online documents offers three examples for the Process Monitoring > feature. > > So far I did see output of a command change example working on my > environment (rule_id=533). > > I am really interested in load average (uptime) Example and want to get it > working and understand the underlying logic. But I didn't find out any > successful story online but only the failure situation similar as my case > (http://osdir.com/ml/ossec-list/2009-12/msg00153.html). > > I set up my system as follows by following the online instruction: > > 1, make sure to include the following setting in the file > /var/ossec/etc/ossec.conf which means we want to monitor the load average > > <localfile> > <log_format>command</log_format> > <command>uptime</command> > </localfile> >
Is OSSEC running the command? I usually find it easier to use aliases. > 2, add the following setting in the rule file > /var/ossec/rules/local_rules.xml > > <group name="ossec,"> > <rule id="100101" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'uptime': </match> > <regex>load averages: 1.</regex> > <options>alert_by_email</options> > <description>Load average reached 1..</description> > </rule> > </group> > I'd probably break this into 2 rules myself. Rule 1: level="1" <match>uptime_command</match> <!-- or whatever the alias would end up looking like--> Rule 2: <match>load average: 1.</match> <!-- My system has "load average" not "load averages" --> > Comments: > #1: For debug convenience, I decrease the threshold value from 2 to 1. > #2: I guess we also need a group name for the rule so that I pick up "ossec" > here. Nope, if you include the rule inside of the <group></group> already in local_rules, you don't need one. > > My understanding is that Ossec would execute uptime every several minutes by > default and send out an alert once the load is high than the setting (1 in > my test case) but I didn't see any alert. > The load average would have to be "1." Anything over 1.9 or under 1.0 would not cause an alert. > What is the underlying logic for this rule? The document says "alert when it > is higher than 2 (for <regex>load averages: 2.</regex> case)" therefore I That would alert when the load average is 2.0-2.9. 3.0+ would not cause an alert. > guess there is a hidden comparison logic here. Is it a integer comparison or > float comparison? Can we change value 2 to 0.5? Does the ending point It's a string comparison. The string your rule is looking for is 'load averages: 1.' If that exact string is not found, the alert will not be triggered. > character matter in the expression (<regex>load averages: 1.</regex>)? > Yes, it matters. If there is no "." in that place in the log message, the alert will not be triggered. > Could you please share your experience if you have this feature working in > your system? Thanks a lot. > > > Best Regards, > Yongzhi > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
