Sure. Current rule:
<rule id="531" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'df -h': /dev/</match>
<regex>100%</regex>
<description>Partition usage reached 100% (disk space
monitor).</description>
<group>low_diskspace,</group>
</rule>
Leave that rule for 100% (so you don't modify the original rules).
In local_rules add:
<rule id="xxxxxx" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'df -h': /dev/</match>
<regex>9\d%</regex>
<description>Partition usage over 90% (disk space
monitor).</description>
<group>low_diskspace,</group>
</rule>
On 20 April 2016 at 10:17, theresa mic-snare <rockprinz...@gmail.com> wrote:
> cool, would you mind sharing those custom rules with us? the threshold
> (over 90%) one is specifically appealing to me :)
>
> Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef:
>>
>> I added custom rules to alert if space is over 90%.
>>
>> On 20 April 2016 at 02:16, Santiago Bassett <santiago...@gmail.com>
>> wrote:
>>
>>> Out of curiosity, what is the rule supposed to trigger the alert? The
>>> one is see by default looks for full partitions...
>>>
>>>
>>> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137
>>>
>>> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef <rober...@gmail.com>
>>> wrote:
>>>
>>>> I tested it on CentOS 5 and the output of df is as expected (Single
>>>> line).
>>>>
>>>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far
>>>> (I tried 7).
>>>>
>>>> Here is the output of df -h on RHEL5:
>>>>
>>>> Filesystem Size Used Avail Use% Mounted on
>>>> /dev/mapper/VolGroup00-LogVol00
>>>> 23G 16G 5.4G 75% /
>>>> /dev/hda1 99M 13M 82M 14% /boot
>>>> tmpfs 4.9G 0 4.9G 0% /dev/shm
>>>>
>>>> Here is the output of a CentOS 5 machine:
>>>>
>>>> Filesystem Size Used Avail Use% Mounted on
>>>> /dev/sda3 1.9T 1.7T 104G 95% /
>>>> /dev/sda1 99M 36M 58M 39% /boot
>>>> tmpfs 3.9G 0 3.9G 0% /dev/shm
>>>>
>>>> So the CentOS is a single line and OSSEC picks that log perfectly. But
>>>> RHEL5 it will see 2 logs:
>>>>
>>>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00
>>>> ossec: output: 'df -h': 23G 16G 5.4G 75% /
>>>>
>>>> And doesn't work. Tested in RHEL 5.8 and 5.11.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
>>> ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
