On Thu, Jun 9, 2016 at 12:58 PM, Jacob Mcgrath
<[email protected]> wrote:
> Weird issue any have insites :)
>
> My local log output:
> ServPing Domain AHHHHHHHH down 06092016 08:48:01
>
> ServPing Game AHHHHHHHH down 06092016 08:48:01
>
> Decoders & rules:
> <decoder name="servping-all">
> <parent>servping</parent>
> <regex offset="after_parent">(\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d
> \d\d:\d\d:\d\d)</regex>
> <order>id,dstip,action,extra_data</order>
> </decoder>
>
>
> <group name="servping-rules">
> <rule id="700005" level="0">
> <decoded_as>servping-all</decoded_as>
>
Before <decoded_as>servping</decoded_as>
ossec-testrule: Type one log per line.
ServPing Domain AHHHHHHHH down 06092016 08:48:01
**Phase 1: Completed pre-decoding.
full event: 'ServPing Domain AHHHHHHHH down 06092016 08:48:01'
hostname: 'ix'
program_name: '(null)'
log: 'ServPing Domain AHHHHHHHH down 06092016 08:48:01'
**Phase 2: Completed decoding.
decoder: 'servping'
id: 'Domain'
dstip: 'AHHHHHHHH'
action: 'down'
extra_data: '06092016 08:48:01'
After <decoded_as>servping</decoded_as>
ServPing Domain AHHHHHHHH down 06092016 08:48:01
**Phase 1: Completed pre-decoding.
full event: 'ServPing Domain AHHHHHHHH down 06092016 08:48:01'
hostname: 'ix'
program_name: '(null)'
log: 'ServPing Domain AHHHHHHHH down 06092016 08:48:01'
**Phase 2: Completed decoding.
decoder: 'servping'
id: 'Domain'
dstip: 'AHHHHHHHH'
action: 'down'
extra_data: '06092016 08:48:01'
**Phase 3: Completed filtering (rules).
Rule id: '300006'
Level: '12'
Description: 'Domain Server Down!'
**Alert to be generated.
<description>PingServ Rules Group</description>
> </rule>
>
>
> <rule id="700006" level="12">
> <if_sid>700005</if_sid>
> <id>Domain</id>
> <description>Domain Server Down!</description>
> </rule>
>
> <rule id="700007" level="12">
> <if_sid>700005</if_sid>
> <id>Game</id>
> <description>Game Server Down!</description>
> </rule>
> </group>
>
> Now the decoders process down fine.... but the initial rule will not
> fire.... might be my use of the <id></id> option. Any thoughts?
>
>
> On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>>
>> Was wondering on the best route/option to accomplish this?
>>
>>
>> (similar to the USB storage detection)
>>
>> Was thinking about a batch or bash that would ping servers from a list to
>> a file. That every so many minute this
>> file would be overwritten with the new results.
>>
>> If the results "differ" from the last log the alert would be triggered.
>>
>>
>> (other option)
>>
>> Run script as scheduled task, write to log then monitor log like a syslog.
>> Regex for the failed pings. Then alerts.
>>
>>
>> Curious if any had tried and found either way better?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
