ossec 2.3 questions on Process monitoring

11 views
Skip to first unread message

Peter M. Abraham

unread,
Dec 7, 2009, 2:10:16 PM12/7/09
to ossec-list
Greetings:

RE: http://www.ossec.net/main/manual/manual-process-monitoring/

1. Does the syntax for the command line processing need to go in each
agent ossec.conf file or can it be in the centralized server
ossec.conf file?

i.e. would I place

<localfile>
<log_format>command</log_format>

<command>uptime</command>
</localfile>

In the server or on the agent in the ossec.conf file?

2. How often are the commands run? Is there a way to control how
often the commands are run?

Thank you.

Peter M. Abraham

unread,
Dec 10, 2009, 10:12:32 AM12/10/09
to ossec-list
bump

Daniel Cid

unread,
Dec 11, 2009, 9:44:42 AM12/11/09
to ossec...@googlegroups.com
Hi Peter,

It can go to the ossec.conf or to the centralized agent.conf as well.
Both will work. Currently there is
no way to control how often they run, but that might be a good feature
to add. Right now it is every
1 or 2 minutes (depending on the flow of the logs).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Peter M. Abraham

unread,
Dec 16, 2009, 3:02:50 PM12/16/09
to ossec-list
Hi Daniel:

In /var/ossec/etc/shared/agent.conf on the ossec server I have the
following:

<agent_config os="Linux">
<localfile>
<log_format>command</log_format>
<command>uptime</command>
</localfile>
</agent_config>

In /var/ossec/rules/local_rules.xml on the ossec server I have the
following:

<group name="command,">
<rule id="300101" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'uptime': </match>

<regex>load averages: 2.</regex>
<description>Load average reached 2..</description>
</rule>
</group>

Now, even though all ossec agents have been restarted, and I've
verified the agents have the above mentioned agent.conf file, I get no
alerts even when an agent's sever load has gone above 2.

What must I do in order to get this to work?

Thank you.
Reply all
Reply to author
Forward
0 new messages