ServPing Domain AHHHHHHHH down 06092016 08:48:01
ServPing Game AHHHHHHHH down 06092016 08:48:01 <decoder name="servping"> <prematch>^ServPing </prematch> </decoder> <decoder name="servping-all"> <parent>servping</parent> <regex offset="after_parent">(\w+) (\w+) (\w+) (\d\d\d\d\d\d\d\d \d\d:\d\d:\d\d)</regex> <order>id,dstip,action,extra_data</order> </decoder> <group name="servping-rules"> <rule id="700005" level="0"> <decoded_as>servping-all</decoded_as> <description>PingServ Rules Group</description> </rule> <rule id="700006" level="12"> <if_sid>700005</if_sid> <id>Domain</id> <description>Domain Server Down!</description> </rule> <rule id="700007" level="12"> <if_sid>700005</if_sid> <id>Game</id> <description>Game Server Down!</description> </rule> <rule id="700008" level="12" frequency="1" timeframe="600"> <if_matched_sid>700006</if_matched_sid> <description>Domain Server Down 10 Minutes!</description> <group>syslog,</group> </rule> <rule id="700009" level="12" frequency="1" timeframe="600"> <if_matched_sid>700007</if_matched_sid> <description>Gaming Server Down 10 Minutes!</description> <group>syslog,</group> </rule> </group> I will have to wait till Monday and I will post the bash and or batch script and the setting up of it. Still having the issue of log monitoring of this alert from the native Ossec server... but I will have a solution either way. On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote: > > Was wondering on the best route/option to accomplish this? > > > (similar to the USB storage detection) > > Was thinking about a batch or bash that would ping servers from a list to > a file. That every so many minute this > file would be overwritten with the new results. > > If the results "differ" from the last log the alert would be triggered. > > > (other option) > > Run script as scheduled task, write to log then monitor log like a syslog. > Regex for the failed pings. Then alerts. > > > Curious if any had tried and found either way better? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.