On Thu, Nov 6, 2014 at 7:29 PM, <[email protected]> wrote: > Dan, could you please also tell me how to set the interval time for OSSEC > executing the command? When target value is beyond the threshold setting I > hope the alert could be triggered ASAP therefore I may need to reduce the > default interval time in my system. Thanks a lot. >
<frequency>SECONDS</frequency> https://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.localfile.html?highlight=frequency#element-frequency > On Thursday, November 6, 2014 11:33:57 AM UTC-8, dan (ddpbsd) wrote: >> >> On Thu, Nov 6, 2014 at 1:16 PM, <[email protected]> wrote: >> > Hi all, >> > >> > Ossec online documents offers three examples for the Process Monitoring >> > feature. >> > >> > So far I did see output of a command change example working on my >> > environment (rule_id=533). >> > >> > I am really interested in load average (uptime) Example and want to get >> > it >> > working and understand the underlying logic. But I didn't find out any >> > successful story online but only the failure situation similar as my >> > case >> > (http://osdir.com/ml/ossec-list/2009-12/msg00153.html). >> > >> > I set up my system as follows by following the online instruction: >> > >> > 1, make sure to include the following setting in the file >> > /var/ossec/etc/ossec.conf which means we want to monitor the load >> > average >> > >> > <localfile> >> > <log_format>command</log_format> >> > <command>uptime</command> >> > </localfile> >> > >> >> Is OSSEC running the command? >> I usually find it easier to use aliases. >> >> > 2, add the following setting in the rule file >> > /var/ossec/rules/local_rules.xml >> > >> > <group name="ossec,"> >> > <rule id="100101" level="7" ignore="7200"> >> > <if_sid>530</if_sid> >> > <match>ossec: output: 'uptime': </match> >> > <regex>load averages: 1.</regex> >> > <options>alert_by_email</options> >> > <description>Load average reached 1..</description> >> > </rule> >> > </group> >> > >> >> I'd probably break this into 2 rules myself. >> Rule 1: >> >> level="1" >> <match>uptime_command</match> <!-- or whatever the alias would end up >> looking like--> >> >> Rule 2: >> <match>load average: 1.</match> <!-- My system has "load average" not >> "load averages" --> >> >> > Comments: >> > #1: For debug convenience, I decrease the threshold value from 2 to 1. >> > #2: I guess we also need a group name for the rule so that I pick up >> > "ossec" >> > here. >> >> Nope, if you include the rule inside of the <group></group> already in >> local_rules, you don't need one. >> >> > >> > My understanding is that Ossec would execute uptime every several >> > minutes by >> > default and send out an alert once the load is high than the setting (1 >> > in >> > my test case) but I didn't see any alert. >> > >> >> The load average would have to be "1." Anything over 1.9 or under 1.0 >> would not cause an alert. >> >> > What is the underlying logic for this rule? The document says "alert >> > when it >> > is higher than 2 (for <regex>load averages: 2.</regex> case)" therefore >> > I >> >> That would alert when the load average is 2.0-2.9. 3.0+ would not >> cause an alert. >> >> > guess there is a hidden comparison logic here. Is it a integer >> > comparison or >> > float comparison? Can we change value 2 to 0.5? Does the ending point >> >> It's a string comparison. The string your rule is looking for is 'load >> averages: 1.' If that exact string is not found, the alert will not be >> triggered. >> >> > character matter in the expression (<regex>load averages: 1.</regex>)? >> > >> >> Yes, it matters. If there is no "." in that place in the log message, >> the alert will not be triggered. >> >> > Could you please share your experience if you have this feature working >> > in >> > your system? Thanks a lot. >> > >> > >> > Best Regards, >> > Yongzhi >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
