On Tue, Jun 14, 2016 at 1:19 PM, Jacob Mcgrath <[email protected]> wrote: > Sry from what I see I do have that timestamp header in my logging from > Elsa... > ServPing Game DeezNutZ down > > 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: > ServPing Game DeezNutZ down > > And from my /var/log/message > > > 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: > ServPing Domain testing123 down > 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: > ServPing Game DeezNutZ down > > > Current Decoders are; > > <decoder name="servping"> > <prematch>ServPing</prematch> > </decoder> > > <decoder name="servping-all"> > <parent>servping</parent> > <regex offset="after_parent">(\w+) (\w+) (\w+)</regex> > <order>id,dstip,action</order> > </decoder> > > > Rules are: > > <group name="servping"> > <rule id="700005" level="0"> > <decoded_as>servping</decoded_as> > <description>PingServ Rules Group</description> > </rule> > > <rule id="700006" level="5"> > <if_sid>700005</if_sid> > <id>Domain</id> > <description>Domain Server Down 5 Minutes!</description> > </rule> > > <rule id="700007" level="5"> > <if_sid>700005</if_sid> > <id>Game</id> > <description>Gaming Server Down 5 Minutes!</description> > </rule> > > <rule id="700008" level="12" frequency="1" timeframe="600"> > <if_matched_sid>700006</if_matched_sid> > <description>Domain Server Down 10 Minutes!</description> > <group>authentication_failures,</group> > </rule> > > <rule id="700009" level="12" frequency="1" timeframe="600"> > <if_matched_sid>700007</if_matched_sid> > <description>Gaming Server Down 10 Minutes!</description> > <group>authentication_failures,</group> > </rule> > </group> > > > bash is: > > #!/bin/bash > # Program name: ping-domain-serv.sh > > # */5 * * * * /home/mis/admin-tools/ping-domain-serv.sh ( crontab run > ping-domain-serv every 5 min) > logpath=/var/log/ > pingtext=/home/mis/admin-tools/cfg/ping-domain.txt > > find $logpath -name "*.log" -type f -mtime +7 -print -delete > > touch "$logpath ping-domain.log" > > cat $pingtext | while read output > do > ping -c 1 "$output" > /dev/null > if [ $? -eq 0 ]; then > echo "Server $output is up" > else > logger -t logger ServPing Domain $output down > fi > done > > > Just not seeing any alerts of of yet?? > > Now with this log entry or entries: > > 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: > ServPing Game DeezNutZ down
I haven't looked at the rest yet, but "2016 Jun 14 11:04:01 alamo->/var/log/messages" looks like the header added by OSSEC when it saves a log message to archives.log. I don't believe your /var/log/messages entries have this header on them. There's nothing in your shell script that would add it, and I've never seen a syslogd that adds it. Heck, the whole thing seems like nagios reinvented poorly. > alamo logger: ServPing Game DeezNutZ down > ServPing Game DeezNutZ down > > i get a result of: > 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: > ServPing Game DeezNutZ down > > > **Phase 1: Completed pre-decoding. > full event: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 > 11:04:01 alamo logger: ServPing Game DeezNutZ down' > hostname: 'alamo' > program_name: '(null)' > log: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 > alamo logger: ServPing Game DeezNutZ down' > > **Phase 2: Completed decoding. > decoder: 'servping' > id: 'Game' > dstip: 'DeezNutZ' > action: 'down' > > **Phase 3: Completed filtering (rules). > Rule id: '700009' > Level: '12' > Description: 'Gaming Server Down 10 Minutes!' > **Alert to be generated. > > > > > > On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: >> >> Was wondering on the best route/option to accomplish this? >> >> >> (similar to the USB storage detection) >> >> Was thinking about a batch or bash that would ping servers from a list to >> a file. That every so many minute this >> file would be overwritten with the new results. >> >> If the results "differ" from the last log the alert would be triggered. >> >> >> (other option) >> >> Run script as scheduled task, write to log then monitor log like a syslog. >> Regex for the failed pings. Then alerts. >> >> >> Curious if any had tried and found either way better? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
