Sry from what I see I do have that timestamp header in my logging from Elsa... ServPing Game DeezNutZ down
2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down And from my /var/log/message 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: ServPing Domain testing123 down 2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger: ServPing Game DeezNutZ down Current Decoders are; <decoder name="servping"> <prematch>ServPing</prematch> </decoder> <decoder name="servping-all"> <parent>servping</parent> <regex offset="after_parent">(\w+) (\w+) (\w+)</regex> <order>id,dstip,action</order> </decoder> Rules are: <group name="servping"> <rule id="700005" level="0"> <decoded_as>servping</decoded_as> <description>PingServ Rules Group</description> </rule> <rule id="700006" level="5"> <if_sid>700005</if_sid> <id>Domain</id> <description>Domain Server Down 5 Minutes!</description> </rule> <rule id="700007" level="5"> <if_sid>700005</if_sid> <id>Game</id> <description>Gaming Server Down 5 Minutes!</description> </rule> <rule id="700008" level="12" frequency="1" timeframe="600"> <if_matched_sid>700006</if_matched_sid> <description>Domain Server Down 10 Minutes!</description> <group>authentication_failures,</group> </rule> <rule id="700009" level="12" frequency="1" timeframe="600"> <if_matched_sid>700007</if_matched_sid> <description>Gaming Server Down 10 Minutes!</description> <group>authentication_failures,</group> </rule> </group> bash is: #!/bin/bash # Program name: ping-domain-serv.sh # */5 * * * * /home/mis/admin-tools/ping-domain-serv.sh ( crontab run ping-domain-serv every 5 min) logpath=/var/log/ pingtext=/home/mis/admin-tools/cfg/ping-domain.txt find $logpath -name "*.log" -type f -mtime +7 -print -delete touch "$logpath ping-domain.log" cat $pingtext | while read output do ping -c 1 "$output" > /dev/null if [ $? -eq 0 ]; then echo "Server $output is up" else logger -t logger ServPing Domain $output down fi done Just not seeing any alerts of of yet?? Now with this log entry or entries: 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down alamo logger: ServPing Game DeezNutZ down ServPing Game DeezNutZ down *i get a result of:* *2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down**Phase 1: Completed pre-decoding. full event: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down' hostname: 'alamo' program_name: '(null)' log: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game DeezNutZ down'**Phase 2: Completed decoding. decoder: 'servping' id: 'Game' dstip: 'DeezNutZ' action: 'down'**Phase 3: Completed filtering (rules). Rule id: '700009' Level: '12' Description: 'Gaming Server Down 10 Minutes!'**Alert to be generated.* On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.