Using
<decoder name="servping">
<program_name>^logger</program_name>
<prematch>^ServPing</prematch>
</decoder>
And
Jun 14 13:28:29 ix logger: ServPing Domain server down
Gives me:
ossec-testrule: Type one log per line.
Jun 14 13:28:29 ix logger: ServPing Domain server down
**Phase 1: Completed pre-decoding.
full event: 'Jun 14 13:28:29 ix logger: ServPing Domain server down'
hostname: 'ix'
program_name: 'logger'
log: 'ServPing Domain server down'
**Phase 2: Completed decoding.
decoder: 'servping'
id: 'Domain'
dstip: 'server'
action: 'down'
**Phase 3: Completed filtering (rules).
Rule id: '700006'
Level: '5'
Description: 'Domain Server Down 5 Minutes!'
**Alert to be generated.
After making these changes I'd have to restart the OSSEC processes to
get the changes to take effect.
On Tue, Jun 14, 2016 at 1:27 PM, dan (ddp) <[email protected]> wrote:
> On Tue, Jun 14, 2016 at 1:19 PM, Jacob Mcgrath
> <[email protected]> wrote:
>> Sry from what I see I do have that timestamp header in my logging from
>> Elsa...
>> ServPing Game DeezNutZ down
>>
>> 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
>> ServPing Game DeezNutZ down
>>
>> And from my /var/log/message
>>
>>
>> 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger:
>> ServPing Domain testing123 down
>> 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger:
>> ServPing Game DeezNutZ down
>>
>>
>> Current Decoders are;
>>
>> <decoder name="servping">
>> <prematch>ServPing</prematch>
>> </decoder>
>>
>> <decoder name="servping-all">
>> <parent>servping</parent>
>> <regex offset="after_parent">(\w+) (\w+) (\w+)</regex>
>> <order>id,dstip,action</order>
>> </decoder>
>>
>>
>> Rules are:
>>
>> <group name="servping">
>> <rule id="700005" level="0">
>> <decoded_as>servping</decoded_as>
>> <description>PingServ Rules Group</description>
>> </rule>
>>
>> <rule id="700006" level="5">
>> <if_sid>700005</if_sid>
>> <id>Domain</id>
>> <description>Domain Server Down 5 Minutes!</description>
>> </rule>
>>
>> <rule id="700007" level="5">
>> <if_sid>700005</if_sid>
>> <id>Game</id>
>> <description>Gaming Server Down 5 Minutes!</description>
>> </rule>
>>
>> <rule id="700008" level="12" frequency="1" timeframe="600">
>> <if_matched_sid>700006</if_matched_sid>
>> <description>Domain Server Down 10 Minutes!</description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> <rule id="700009" level="12" frequency="1" timeframe="600">
>> <if_matched_sid>700007</if_matched_sid>
>> <description>Gaming Server Down 10 Minutes!</description>
>> <group>authentication_failures,</group>
>> </rule>
>> </group>
>>
>>
>> bash is:
>>
>> #!/bin/bash
>> # Program name: ping-domain-serv.sh
>>
>> # */5 * * * * /home/mis/admin-tools/ping-domain-serv.sh ( crontab run
>> ping-domain-serv every 5 min)
>> logpath=/var/log/
>> pingtext=/home/mis/admin-tools/cfg/ping-domain.txt
>>
>> find $logpath -name "*.log" -type f -mtime +7 -print -delete
>>
>> touch "$logpath ping-domain.log"
>>
>> cat $pingtext | while read output
>> do
>> ping -c 1 "$output" > /dev/null
>> if [ $? -eq 0 ]; then
>> echo "Server $output is up"
>> else
>> logger -t logger ServPing Domain $output down
>> fi
>> done
>>
>>
>> Just not seeing any alerts of of yet??
>>
>> Now with this log entry or entries:
>>
>> 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
>> ServPing Game DeezNutZ down
>
> I haven't looked at the rest yet, but "2016 Jun 14 11:04:01
> alamo->/var/log/messages" looks like the header added by OSSEC when it
> saves a log message to archives.log.
> I don't believe your /var/log/messages entries have this header on
> them. There's nothing in your shell script that would add it, and I've
> never seen a syslogd that adds it.
>
> Heck, the whole thing seems like nagios reinvented poorly.
>
>> alamo logger: ServPing Game DeezNutZ down
>> ServPing Game DeezNutZ down
>>
>> i get a result of:
>> 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
>> ServPing Game DeezNutZ down
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14
>> 11:04:01 alamo logger: ServPing Game DeezNutZ down'
>> hostname: 'alamo'
>> program_name: '(null)'
>> log: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01
>> alamo logger: ServPing Game DeezNutZ down'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'servping'
>> id: 'Game'
>> dstip: 'DeezNutZ'
>> action: 'down'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '700009'
>> Level: '12'
>> Description: 'Gaming Server Down 10 Minutes!'
>> **Alert to be generated.
>>
>>
>>
>>
>>
>> On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>>>
>>> Was wondering on the best route/option to accomplish this?
>>>
>>>
>>> (similar to the USB storage detection)
>>>
>>> Was thinking about a batch or bash that would ping servers from a list to
>>> a file. That every so many minute this
>>> file would be overwritten with the new results.
>>>
>>> If the results "differ" from the last log the alert would be triggered.
>>>
>>>
>>> (other option)
>>>
>>> Run script as scheduled task, write to log then monitor log like a syslog.
>>> Regex for the failed pings. Then alerts.
>>>
>>>
>>> Curious if any had tried and found either way better?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
