http:\/\/www.ossec.net\/files\/snapshots\/ossec-hids-091105.tar.gz<\/a><\/em><\/p>\n\n\n\nNow, with the new version of OSSEC you can do it directly in there with the following configuration:<\/p>\n\n\n\n
<localfile>\n<log_format>command<\/log_format>\n<command>df -h<\/command>\n<\/localfile><\/code><\/pre>\n\n\n\nSince we already have a sample rule for\u00a0df -h<\/em>\u00a0included into OSSEC you would see the following when any partition reached 100%:<\/p>\n\n\n\n** Alert 1257451341.28290: mail \u2013 ossec,low_diskspace,\n2009 Nov 05 16:02:21 (home-ubuntu) 192.168.0.0->df -h\nRule: 531 (level 7) -> \u2018Partition usage reached 100% (disk space monitor).\u2019\nSrc IP: (none)\nUser: (none)\nossec: output: \u2018df -h\u2019: \/dev\/sdb1 24G 12G 11G 100% \/var\/backup<\/code><\/pre>\n\n\n\nAnother example, if you want to monitor the load average, you can configure OSSEC to monitor the \u201cuptime\u201d command and alert when it is higher than 2, for example:<\/p>\n\n\n\n
<localfile>\n<log_format>command<\/log_format>\n<command>uptime<\/command>\n<\/localfile><\/code><\/pre>\n\n\n\nAnd in the rule:<\/p>\n\n\n\n
<rule id=\u201d100101\u2033 level=\u201d7\u2033 ignore=\u201d7200\u2033>\n<if_sid>530<\/if_sid>\n<match>ossec: output: \u2018uptime\u2019: <\/match>\n<regex>load averages: 2.<\/regex>\n<description>Load average reached 2..<\/description>\n<\/rule><\/code><\/pre>\n\n\n\nLots of possibilities with this feature. If you have ideas of commands to monitor and rules, please comment.<\/p>\n","protected":false},"excerpt":{"rendered":"
We love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/78"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=78"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/78\/revisions"}],"predecessor-version":[{"id":79,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/78\/revisions\/79"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=78"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=78"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=78"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}