Good day to you all,
I have a problem with OSSEC/Slack integration. OSSEC version 2.9.0 For an
unknown reason, the ossec-slack script fires hundreds of Curl processes
when sending data from alerts.log to the Slack channel basically draining
all the memory (one process takes ~180 MB). What could be the reason? The
size of alerts.log file is usually under 1MB.
The bash script portion responsible for sending data to Slack channel
remained unmodified:
ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep
-v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep
"Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text":
"'"${ALERTFULL}"'"}'
ls "`which curl`" > /dev/null 2>&1
if [ ! $? = 0 ]; then
ls "`which wget`" > /dev/null 2>&1
if [ $? = 0 ]; then
wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${
PWD}/../logs/active-responses.log
exit 0;
fi
else
curl -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../
logs/active-responses.log
exit 0;
fi
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
