Is there a Windows Rule for this? Thanks
-Mike On Tue, Sep 28, 2010 at 4:17 PM, Daniel Cid <[email protected]> wrote: > Yes, it is even included in the default rules already: > > <rule id="531" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'df -h': /dev/</match> > <regex>100%</regex> > <description>Partition usage reached 100% (disk space > monitor).</description> > <group>low_diskspace,</group> > </rule> > > You just have to override it and change from 100% to 80%. > > Thanks, > > > > > > On Tue, Sep 28, 2010 at 11:01 AM, dan (ddp) <[email protected]> wrote: >> On Tue, Sep 28, 2010 at 9:37 AM, William Maddler <[email protected]> wrote: >>> On 28/09/2010 15:16, George Ochola wrote: >>>> Hi all >>>> >>>> How do i configure OSSEC to send an alert when a Unix file system is may >>>> be 80% full as opposed to the alert sent when the file system is full >>>> >>>> I need to clear the file system before it reaches 100% mark, >>>> >>>> >>>> Kind Regards >>>> >>>> George O. >>>> >>>> >>>> >>> >>> Hello, not sure this can be achieved using Ossec. You could use a >>> cronjob with a script like: >>> >>> #!/bin/sh >>> PART="sda2" >>> FREE=`df -h | grep $PART | gawk {'print $5'} | sed "s/%//"` >>> MAX=90 >>> >>> if [ $FREE -gt 80 ]; then >>> echo "Filesystem occupation on $PART > than $MAX" >> >>> /var/log/diskcheck >>> fi >>> >>> And create a rule to handle such an alert. >>> >>> Hope it helps. >>> >>> William >>> >>> >>> >> >> The full_command option should be able to help with this: >> http://www.ossec.net/dcid/?p=198 >> >
