I have tried something different and used logger to push server ping failures to the /var/log/message. I do see this when I grep the Ossec archive.
2016 Jun 13 23:30:22 alamo->/var/log/messages alamo logger: ServPing Domain DC01 down So this works but I can not seam to get past phase one pre decoding: hostname 'alamo' program_name 'logger' log 'ServPing Domain DC01 down' Tried to adjust these decoders as so but still no phase two..thought maby this log is already a child of another but debug didn't yeild much of anything. <decoder name="servping"> <prematch>^ServPing </prematch> </decoder> <decoder name="servping-all"> <parent>servping</parent> <regex offset="after_parent">(\w+) (\w+) (\w+)</regex> <order>id,dstip,action,</order> </decoder> On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
