I added custom rules to alert if space is over 90%. On 20 April 2016 at 02:16, Santiago Bassett <santiago.bass...@gmail.com> wrote:
> Out of curiosity, what is the rule supposed to trigger the alert? The one > is see by default looks for full partitions... > > > https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 > > On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef <robertm...@gmail.com> > wrote: > >> I tested it on CentOS 5 and the output of df is as expected (Single line). >> >> We don't have a lot of RHEL5 but this happens on every 1 I tried so far >> (I tried 7). >> >> Here is the output of df -h on RHEL5: >> >> Filesystem Size Used Avail Use% Mounted on >> /dev/mapper/VolGroup00-LogVol00 >> 23G 16G 5.4G 75% / >> /dev/hda1 99M 13M 82M 14% /boot >> tmpfs 4.9G 0 4.9G 0% /dev/shm >> >> Here is the output of a CentOS 5 machine: >> >> Filesystem Size Used Avail Use% Mounted on >> /dev/sda3 1.9T 1.7T 104G 95% / >> /dev/sda1 99M 36M 58M 39% /boot >> tmpfs 3.9G 0 3.9G 0% /dev/shm >> >> So the CentOS is a single line and OSSEC picks that log perfectly. But >> RHEL5 it will see 2 logs: >> >> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 >> ossec: output: 'df -h': 23G 16G 5.4G 75% / >> >> And doesn't work. Tested in RHEL 5.8 and 5.11. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
