Email Alert on High CPU Memory Utilization, Low Disk Space on Wazuh Agent

[Eric]

Hi everyone, 

I'm looking for a solution in creating a rule that allows monitoring a rule with email alert for when High CPU Memory Utilization, Low Disk Space on Wazuh Agent. 

CPU Memory Utilization certain threshold > 80%

Low Disk Space / < 10 %.

1/ For monitoring agents’ disk space size I did setup in the Centralized configuration (agent.conf) as below: /var/ossec/etc/shared/watch_log

<agent_config>

    <!-- Shared agent configuration here -->

<localfile>

    <log_format>command</log_format>

    <command>df -P</command>

</localfile>

</agent_config>

/var/ossec/etc/rules/local_rules.xml 

<group name="ossec,">

<rule id="100211" level="10" ignore="7200">

  <if_sid>530</if_sid>

  <match>ossec: output: 'df -P': /dev/</match>

  <regex>100%</regex>

  <description>Partition usage reached 100% (disk space monitor).</description>

  <group>low_diskspace,pci_dss_10.6.1,</group>

</rule>

</group>

Now, I checked alert.json on Wazuh Manager Logs. It's not coming there. What's happing, and what I'm missing in the configuration?  

 

2/ For monitoring agents' High CPU Memory Utilization, Is it possible to do that with Wazuh? If yes, please could you suggest a way to go? 

[Jesus Linares]

Hi,

First, review that the agents where you want to run the "df -P" command are in the "watch_log" group that you are created (check out group documentation). Then, the rule that you created is not really necessary since it already exists in /var/ossec/rulsetet/rules/0015-ossec_rules.xml (rule id 531).

If you don't see the corresponding alert in the alerts.json file is due to the event didn't trigger an alert (no rules matched) or you didn't receive the event. Review both cases:

1. Review in the ossec.log of your agents if they are running the "df" command.

2. Enable the logall_json setting in the manager for a while. In this way, you will see any event that the manager receives (regardless if it triggers an alert) in /var/ossec/los/archives.json. Be aware that this can increase disk usage.

3. If you don't see the command event in this file, you should review your agent configuration.

4. If you see the event but there is no alert, you should review your rules. For that purpose, you can use the logtest tool.

>  For monitoring agents' High CPU Memory Utilization, Is it possible to do that with Wazuh? If yes, please could you suggest a way to go? 

Using command you can monitor everything that you need. Here you have some examples: https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html. Also, the syscollector module could be useful (https://documentation.wazuh.com/current/user-manual/capabilities/syscollector.html#processes).

Finally, if you want to run commands, I recommend using the "wodle command" instead of localfile-commands since it has more options.

I hope it helps.

[Eric]

Hi Jesus, 

Thank you for your email.

1/ It already exists in /var/ossec/rulsetet/rules/0015-ossec_rules.xml (rule id 531). but it's level 7. I want to update it to level 10. I want to ask you if I have to modify the rule level by overwriting it directly in /var/ossec/rulsetet/rules or is /var/ossec/etc/rules/local_rules.xml. Please could you suggest this? 

2/ That would be nice if you can share with me an example using the wolde command to monitor cpu/ram. If not, I will try harder myself firstly.  

Regards, 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/99c99e7c-a598-4cf2-a3ee-31d4f1a93390n%40googlegroups.com.

[Jesus Linares]

Hi,

1. For overwriting a rule, please follow this guide: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule

2. Example:

You can use the uptime command. It is a command that returns information about how long your system has been running together with the current time, number of users with running sessions, and the system load averages for the past 1, 5, and 15 minutes. 

<localfile>

    <log_format>command</log_format>

    <command>uptime</command>

</localfile>

Create a custom rule to alert when "uptime" is higher than two load averages:

<rule id="100101" level="7" ignore="7200">

  <if_sid>530</if_sid>

  <match>ossec: output: 'uptime': </match>

  <regex>load average: 2.</regex>

  <description>Load average reached 2..</description>

</rule>

You can use this approach for other commands that gather metrics from the host.

Check out another similar example here: https://wazuh.com/blog/scheduling-remote-commands-for-wazuh-agents/.

Finally, I forgot to mention that to run commands in the agents from the manager, you need the explicit consent of the agents. The command modules can be set up in two different ways. It may be set up locally on each agent (ossec.conf), or remotely by the group configuration (agent.conf). Setting up remote commands in the group configuration (agent.conf) must be enabled explicitly for each agent. Otherwise, that agent will ignore the command to run. This parameter is defined as an internal option, so it is only necessary to enable this flag by adding the following line to the file etc/local_internal_options.conf in the agent:

- For localfiles/command: logcollector.remote_commands=1

- For wodle command:  wazuh_command.remote_commands=1

Regards.

[Tran Quang Du]

Hi Vu,

Have you solved this problem yet?

I want configure Email Alert on High CPU Memory Utilization, Low Disk Space on Wazuh Agent, can you help me?

Thanks you!!

Vào lúc 17:04:30 UTC+7 ngày Thứ Tư, 23 tháng 6, 2021, Jesus Linares đã viết: