cool, would you mind sharing those custom rules with us? the threshold (over 90%) one is specifically appealing to me :)
Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef: > > I added custom rules to alert if space is over 90%. > > On 20 April 2016 at 02:16, Santiago Bassett <santiago...@gmail.com > <javascript:>> wrote: > >> Out of curiosity, what is the rule supposed to trigger the alert? The >> one is see by default looks for full partitions... >> >> >> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 >> >> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef <rober...@gmail.com >> <javascript:>> wrote: >> >>> I tested it on CentOS 5 and the output of df is as expected (Single >>> line). >>> >>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far >>> (I tried 7). >>> >>> Here is the output of df -h on RHEL5: >>> >>> Filesystem Size Used Avail Use% Mounted on >>> /dev/mapper/VolGroup00-LogVol00 >>> 23G 16G 5.4G 75% / >>> /dev/hda1 99M 13M 82M 14% /boot >>> tmpfs 4.9G 0 4.9G 0% /dev/shm >>> >>> Here is the output of a CentOS 5 machine: >>> >>> Filesystem Size Used Avail Use% Mounted on >>> /dev/sda3 1.9T 1.7T 104G 95% / >>> /dev/sda1 99M 36M 58M 39% /boot >>> tmpfs 3.9G 0 3.9G 0% /dev/shm >>> >>> So the CentOS is a single line and OSSEC picks that log perfectly. But >>> RHEL5 it will see 2 logs: >>> >>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 >>> ossec: output: 'df -h': 23G 16G 5.4G 75% / >>> >>> And doesn't work. Tested in RHEL 5.8 and 5.11. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
