On Fri, Jun 3, 2016 at 10:20 AM, Jacob Mcgrath
<[email protected]> wrote:
> I got a script at timed intervals pinging out a server list and only writing
> failures to a log like so: ( this is a test run using unknown machine name
> )
>
> PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1
>
>
> Now I have set up decoders like so:
>
>
> <decoder name="pingserv">
> <prematch>^PINGSERV PING </prematch>
> </decoder>
>
> <decoder name="pingserv-fail">
> <parent>pingserv</parent>
> <regex offset="after_parent">(\w+) (\d\d/\d\d/\d\d\d\d \d:\d\d:\d\d.\d\d)
> (\w+)</regex>
> <order>action,extra_data,dstip</order>
> </decoder>
>
>
> The output is as such ( more and less what I want )
>
>
> PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 '
> hostname: 'alamo'
> program_name: '(null)'
> log: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1 '
>
> **Phase 2: Completed decoding.
> decoder: 'pingserv'
> action: 'FAILURE'
> extra_data: '06/03/2016 8:40:48.35'
> dstip: 'fail1'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
> The issue is that I am not able to trigger the rule bellow:
>
>
> <group name="ping-servers">
> <rule id="100010" level="0">
> <decoded_as>pingserv</decoded_as>
> <description>Grouping For Server Ping Group</description>
> </rule>
> </group>
>
Either if_sid 1002, or create a rule with a level.
<rule id="110011" level="1">
<if_sid>110010</if_sid>
<action>FAILURE</action>
<description> FAILURE</description>
</rule>
ossec-testrule: Type one log per line.
PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1
**Phase 1: Completed pre-decoding.
full event: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1'
hostname: 'ipyr'
program_name: '(null)'
log: 'PINGSERV PING FAILURE 06/03/2016 8:40:48.35 fail1'
**Phase 2: Completed decoding.
decoder: 'pingserv'
action: 'FAILURE'
extra_data: '06/03/2016 8:40:48.35'
dstip: 'fail1'
**Phase 3: Completed filtering (rules).
Rule id: '110011'
Level: '1'
Description: ' FAILURE'
**Alert to be generated.
>
>
>
> On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>>
>> Was wondering on the best route/option to accomplish this?
>>
>>
>> (similar to the USB storage detection)
>>
>> Was thinking about a batch or bash that would ping servers from a list to
>> a file. That every so many minute this
>> file would be overwritten with the new results.
>>
>> If the results "differ" from the last log the alert would be triggered.
>>
>>
>> (other option)
>>
>> Run script as scheduled task, write to log then monitor log like a syslog.
>> Regex for the failed pings. Then alerts.
>>
>>
>> Curious if any had tried and found either way better?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
