[ossec-list] Re: Ossec - ping servers with alert on failure

Sun, 12 Jun 2016 15:12:06 -0700 


ServPing Domain AHHHHHHHH down 06092016 08:48:01

ServPing Game AHHHHHHHH down 06092016 08:48:01


<decoder name="servping">
  <prematch>^ServPing </prematch>
</decoder>

<decoder name="servping-all">
  <parent>servping</parent>
  <regex offset="after_parent">(\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d 
\d\d:\d\d:\d\d)</regex>
  <order>id,dstip,action,extra_data</order>
</decoder>



<group name="servping-rules">
  <rule id="700005" level="0">
    <decoded_as>servping-all</decoded_as>
    <description>PingServ Rules Group</description>
  </rule>


  <rule id="700006" level="12">
    <if_sid>700005</if_sid>
    <id>Domain</id>
    <description>Domain Server Down!</description>
  </rule>

  <rule id="700007" level="12">
    <if_sid>700005</if_sid>
    <id>Game</id>
    <description>Game Server Down!</description>
  </rule>

  <rule id="700008" level="12" frequency="1" timeframe="600">
    <if_matched_sid>700006</if_matched_sid>
    <description>Domain Server Down 10 Minutes!</description>
    <group>syslog,</group>
  </rule>

  <rule id="700009" level="12" frequency="1" timeframe="600">
    <if_matched_sid>700007</if_matched_sid>
    <description>Gaming Server Down 10 Minutes!</description>
    <group>syslog,</group>
  </rule>
</group>



I will have to wait till Monday and I will post the bash and or batch 
script and the setting up of it.  Still having the issue of log monitoring 
of this alert from the native Ossec server...  but I will have a solution 
either way.
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to 
> a file.  That every so many minute this
> file would be overwritten with the new results.
>
> If the results "differ" from the last log the alert would be triggered.
>
>
> (other option)
>
> Run script as scheduled task, write to log then monitor log like a syslog. 
> Regex for the failed pings. Then alerts.
>
>
> Curious if any had tried and found either way better?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to