Hi Daniel:
In /var/ossec/etc/shared/agent.conf on the ossec server I have the
following:
<agent_config os="Linux">
<localfile>
<log_format>command</log_format>
<command>uptime</command>
</localfile>
</agent_config>
In /var/ossec/rules/local_rules.xml on the ossec server I have the
following:
<group name="command,">
<rule id="300101" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'uptime': </match>
<regex>load averages: 2.</regex>
<description>Load average reached 2..</description>
</rule>
</group>
Now, even though all ossec agents have been restarted, and I've
verified the agents have the above mentioned agent.conf file, I get no
alerts even when an agent's sever load has gone above 2.
What must I do in order to get this to work?
Thank you.