I want to display a message that the HDD is over 80% !!!
673 views
Skip to first unread message
Huy Nguyễn
Nov 30, 2021, 10:07:21 PM11/30/21
to Wazuh mailing list
Help me ! As the title says, how should I configure when the HDD usage is over 80%?( EX: C, D,E )
Thank you very much
Manuel Pedro Gomez Castro
Dec 1, 2021, 3:57:05 AM12/1/21
to Wazuh mailing list
Hi there! Apologies if this message has been sent twice, I noticed that I couldn't see a previous response and I wanted to make sure it was sent correctly.
<group name="win-custom,">
<rule id="100034" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'free-space-disk-C':</match>
<regex>with less than 20%</regex>
<description>Device with less than 20% of free space </description>
</rule>
</group>
Starting wazuh-logtest v4.3.0
Type one log per line
ossec: output: 'free-space-disk-C': Device C:/ with less than 20% of free space - 13 %
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'free-space-disk-C': Device C:/ with less than 20% of free space - 13 %'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '100034'
level: '7'
description: 'Device with less than 20% of free space '
groups: '['win-custom']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
You can monitor your disk usage by using our command monitoring feature! (https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html#basic-usage)
To do this, first you would need to configure your windows agent. Assuming you will be monitoring disk C, add the following block:
<localfile>
<log_format>command</log_format>
<command>powershell -command "$disk = Get-PSDrive C | Select-Object Used,Free;$total = $disk.used + $disk.free;if ($total -gt 0){ $PercentFree = [Math]::round((($disk.free/$total) * 100))} else {$PercentFree = 0};if ($PercentFree -le 20){Write-Host 'Device C:/ with less than 20% of free space - '$PercentFree '%'}
"</command>
<frequency>43200</frequency>
<alias>free-space-disk-C</alias>
</localfile>
Where:
log_format: Specified the log format. In this case, command.
command: This command in cmd will call a PowerShell script. This one will check the free space in C: disk and will inform in case this is lower than 25 per cent of the total space.
frequency: The frequency of the command execution (set to 12 hours).
alias: Alias of the command.
More information about these options here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
After restarting your wazuh-agent you will receive the following event in your wazuh manager, in case your disk space is lower than 20%:
any->free-space-disk-C ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space - 20 %
To do this, first you would need to configure your windows agent. Assuming you will be monitoring disk C, add the following block:
<localfile>
<log_format>command</log_format>
<command>powershell -command "$disk = Get-PSDrive C | Select-Object Used,Free;$total = $disk.used + $disk.free;if ($total -gt 0){ $PercentFree = [Math]::round((($disk.free/$total) * 100))} else {$PercentFree = 0};if ($PercentFree -le 20){Write-Host 'Device C:/ with less than 20% of free space - '$PercentFree '%'}
"</command>
<frequency>43200</frequency>
<alias>free-space-disk-C</alias>
</localfile>
Where:
log_format: Specified the log format. In this case, command.
command: This command in cmd will call a PowerShell script. This one will check the free space in C: disk and will inform in case this is lower than 25 per cent of the total space.
frequency: The frequency of the command execution (set to 12 hours).
alias: Alias of the command.
More information about these options here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
After restarting your wazuh-agent you will receive the following event in your wazuh manager, in case your disk space is lower than 20%:
any->free-space-disk-C ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space - 20 %
Then, you would need to add a rule in your manager's /var/ossec/etc/rules/local_rules.xml file that responds to the event generated, for example:
<group name="win-custom,">
<rule id="100034" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'free-space-disk-C':</match>
<regex>with less than 20%</regex>
<description>Device with less than 20% of free space </description>
</rule>
</group>
- Restart your wazuh manager.
- Ensure your alert is working using /var/ossec/bin/wazuh-logtest tool:
Starting wazuh-logtest v4.3.0
Type one log per line
ossec: output: 'free-space-disk-C': Device C:/ with less than 20% of free space - 13 %
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'free-space-disk-C': Device C:/ with less than 20% of free space - 13 %'
**Phase 2: Completed decoding.
name: 'ossec'
**Phase 3: Completed filtering (rules).
id: '100034'
level: '7'
description: 'Device with less than 20% of free space '
groups: '['win-custom']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Huy Nguyễn
Dec 2, 2021, 8:25:00 PM12/2/21
to Manuel Pedro Gomez Castro, Wazuh mailing list
Vào Th 4, 1 thg 12, 2021 vào lúc 15:57 Manuel Pedro Gomez Castro <manuel...@wazuh.com> đã viết:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Iq6SkEuWhG4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/df6f68f1-f90f-4907-8ef2-1ac8c8da7181n%40googlegroups.com.
Manuel Pedro Gomez Castro
Dec 9, 2021, 2:45:21 AM12/9/21
to Wazuh mailing list
Hello! Apologies for the delay!
The section you ask executes a command and registers its log. This means that it must be added to the ossec.conf file of the machine whose hard drive you wish to monitor.
On a windows machine, by default, the ossec.conf file is located at C:\Program Files (x86)\ossec-agent\ossec.conf
You can learn more about the localfile block in our documentation!
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
I hope this clears it up!
The section you ask executes a command and registers its log. This means that it must be added to the ossec.conf file of the machine whose hard drive you wish to monitor.
On a windows machine, by default, the ossec.conf file is located at C:\Program Files (x86)\ossec-agent\ossec.conf
You can learn more about the localfile block in our documentation!
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
I hope this clears it up!
Matteo Torta
Jan 16, 2023, 4:57:44 AM1/16/23
to Wazuh mailing list
Is not possible to implement this on the manager to monitoring the disk space of all agents?
Reply all
Reply to author
Forward
0 new messages