Sry from what I see I do have that timestamp header in my logging from
Elsa...
ServPing Game DeezNutZ down
2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
ServPing Game DeezNutZ down
And from my /var/log/message
2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger:
ServPing Domain testing123 down
2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12:10:01 alamo logger:
ServPing Game DeezNutZ down
Current Decoders are;
<decoder name="servping">
<prematch>ServPing</prematch>
</decoder>
<decoder name="servping-all">
<parent>servping</parent>
<regex offset="after_parent">(\w+) (\w+) (\w+)</regex>
<order>id,dstip,action</order>
</decoder>
Rules are:
<group name="servping">
<rule id="700005" level="0">
<decoded_as>servping</decoded_as>
<description>PingServ Rules Group</description>
</rule>
<rule id="700006" level="5">
<if_sid>700005</if_sid>
<id>Domain</id>
<description>Domain Server Down 5 Minutes!</description>
</rule>
<rule id="700007" level="5">
<if_sid>700005</if_sid>
<id>Game</id>
<description>Gaming Server Down 5 Minutes!</description>
</rule>
<rule id="700008" level="12" frequency="1" timeframe="600">
<if_matched_sid>700006</if_matched_sid>
<description>Domain Server Down 10 Minutes!</description>
<group>authentication_failures,</group>
</rule>
<rule id="700009" level="12" frequency="1" timeframe="600">
<if_matched_sid>700007</if_matched_sid>
<description>Gaming Server Down 10 Minutes!</description>
<group>authentication_failures,</group>
</rule>
</group>
bash is:
#!/bin/bash
# Program name: ping-domain-serv.sh
# */5 * * * * /home/mis/admin-tools/ping-domain-serv.sh ( crontab run
ping-domain-serv every 5 min)
logpath=/var/log/
pingtext=/home/mis/admin-tools/cfg/ping-domain.txt
find $logpath -name "*.log" -type f -mtime +7 -print -delete
touch "$logpath ping-domain.log"
cat $pingtext | while read output
do
ping -c 1 "$output" > /dev/null
if [ $? -eq 0 ]; then
echo "Server $output is up"
else
logger -t logger ServPing Domain $output down
fi
done
Just not seeing any alerts of of yet??
Now with this log entry or entries:
2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
ServPing Game DeezNutZ down
alamo logger: ServPing Game DeezNutZ down
ServPing Game DeezNutZ down
*i get a result of:*
*2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo
logger: ServPing Game DeezNutZ down**Phase 1: Completed pre-decoding.
full event: '2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01
alamo logger: ServPing Game DeezNutZ down' hostname: 'alamo'
program_name: '(null)' log: '2016 Jun 14 11:04:01
alamo->/var/log/messages Jun 14 11:04:01 alamo logger: ServPing Game
DeezNutZ down'**Phase 2: Completed decoding. decoder: 'servping'
id: 'Game' dstip: 'DeezNutZ' action: 'down'**Phase 3:
Completed filtering (rules). Rule id: '700009' Level: '12'
Description: 'Gaming Server Down 10 Minutes!'**Alert to be generated.*
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file. That every so many minute this
> file would be overwritten with the new results.
>
> If the results "differ" from the last log the alert would be triggered.
>
>
> (other option)
>
> Run script as scheduled task, write to log then monitor log like a syslog.
> Regex for the failed pings. Then alerts.
>
>
> Curious if any had tried and found either way better?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
