Thanks, Done a similar thing...used scsi match in kernel log..
On Saturday, May 17, 2014 4:40:14 PM UTC+5:30, Nguyễn Văn Hớn wrote:
>
> that i my decode and rule for dectect usb
>
>
>
> ^kernel
>
>
>
> USB
> ^sd \S+
> ^sd \S+ [sdb] (\S+) SCSI (\.+)
> action,status
>
>
>
> USB
> ^usb 1-1: USB
On 05/17/2014 07:23 AM, Nguyễn Văn Hớn wrote:
how to config ossec auto restart when it have new rule or decode
Add a rule to check for local_rules.xml being changed then fire up the
restart-ossec.sh response. But make sure the rules you put in there are
correct; otherwise, OSSEC may fail to s
how to config ossec auto restart when it have new rule or decode
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For
that i my decode and rule for dectect usb
^kernel
USB
^sd \S+
^sd \S+ [sdb] (\S+) SCSI (\.+)
action,status
USB
^usb 1-1: USB \S+
^usb 1-1: USB (\S+)
action
USB
Have USB USB attached
300020
removable disk
USB attached
300020
disconnect,
USB disconnection
Vào 02:25:45 UTC+7 Thứ b
This is /var/ossec/logs/archives/archives.log
2014 May 17 12:07:07 mysystem->/var/log/syslog May 17 12:07:06 mysystem
kernel: [62044.989418] usb 2-1.6: new high-speed USB device number 5 using
ehci_hcd
2014 May 17 12:07:07 mysystem->/var/log/syslog May 17 12:07:07 mysystem
mtp-probe: checking
hi everybody. i have config like
http://ossec-docs.readthedocs.org/en/latest/cookbooks/recipes/ar-agent-conf-restart.html.
but it's working.I don't know what wrong somewhere
i have add rule in local_rule.xml and config in ossec.conf in ossec server
--
---
You received this message because
Hi All,
As the subject states, and behaving as expected, Ossec hits my CPU's when
updating the watched directories. It are Wordpress installs to be precise.
I update plugins, etc. from the backend (via a terminal).
Now the question is this. What would be a good way to avoid this? ... Since
I k
Its not listing is ossec.log but lsusb detects it.
Is there anyother log I should look into?
On Saturday, May 17, 2014 1:50:21 AM UTC+5:30, dan (ddpbsd) wrote:
>
>
> On May 16, 2014 4:19 PM, "Ashok" >
> wrote:
> >
> > Yes I did
> >
>
> Can you provide a log sample?
>
> >
> > On Saturday, May 17,
I am alert when a specifics process called ""stree" uses most cpu
ps -e -o pcpu,pmem,args --sort=pcpu|tail -n 1 |grep stress
The above comment returns nothing when stress in not in top otherwise
return something like 93.4 0.0 stress -c 1 -t 60s
I made this changes
ossec.conf
full_com
