[ossec-list] Re: Ossec - ping servers with alert on failure

Fri, 03 Jun 2016 07:20:39 -0700 

I got a script at timed intervals pinging out a server list and only 
writing failures to a log like so:  ( this is a test run using unknown 
machine name )

PINGSERV PING FAILURE 06/03/2016  8:40:48.35 fail1
 

Now I have set up decoders like so:


<decoder name="pingserv">
<prematch>^PINGSERV PING </prematch>
</decoder>

<decoder name="pingserv-fail">
  <parent>pingserv</parent>
  <regex offset="after_parent">(\w+) (\d\d/\d\d/\d\d\d\d 
 \d:\d\d:\d\d.\d\d) (\w+)</regex>
  <order>action,extra_data,dstip</order>
</decoder>


The output is as such ( more and less what I want )


PINGSERV PING FAILURE 06/03/2016  8:40:48.35 fail1


**Phase 1: Completed pre-decoding.
       full event: 'PINGSERV PING FAILURE 06/03/2016  8:40:48.35 fail1 '
       hostname: 'alamo'
       program_name: '(null)'
       log: 'PINGSERV PING FAILURE 06/03/2016  8:40:48.35 fail1 '

**Phase 2: Completed decoding.
       decoder: 'pingserv'
       action: 'FAILURE'
       extra_data: '06/03/2016  8:40:48.35'
       dstip: 'fail1'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


The issue is that I am not able to trigger the rule bellow:


<group name="ping-servers">
  <rule id="100010" level="0">
    <decoded_as>pingserv</decoded_as>
    <description>Grouping For Server Ping Group</description>
  </rule>
</group>




On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to 
> a file.  That every so many minute this
> file would be overwritten with the new results.
>
> If the results "differ" from the last log the alert would be triggered.
>
>
> (other option)
>
> Run script as scheduled task, write to log then monitor log like a syslog. 
> Regex for the failed pings. Then alerts.
>
>
> Curious if any had tried and found either way better?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to