Out of curiosity, what is the rule supposed to trigger the alert? The one is see by default looks for full partitions...
https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef <robertm...@gmail.com> wrote: > I tested it on CentOS 5 and the output of df is as expected (Single line). > > We don't have a lot of RHEL5 but this happens on every 1 I tried so far (I > tried 7). > > Here is the output of df -h on RHEL5: > > Filesystem Size Used Avail Use% Mounted on > /dev/mapper/VolGroup00-LogVol00 > 23G 16G 5.4G 75% / > /dev/hda1 99M 13M 82M 14% /boot > tmpfs 4.9G 0 4.9G 0% /dev/shm > > Here is the output of a CentOS 5 machine: > > Filesystem Size Used Avail Use% Mounted on > /dev/sda3 1.9T 1.7T 104G 95% / > /dev/sda1 99M 36M 58M 39% /boot > tmpfs 3.9G 0 3.9G 0% /dev/shm > > So the CentOS is a single line and OSSEC picks that log perfectly. But > RHEL5 it will see 2 logs: > > ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 > ossec: output: 'df -h': 23G 16G 5.4G 75% / > > And doesn't work. Tested in RHEL 5.8 and 5.11. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.