Disk usage monitoring

[Flek Kontrec]

Hi,

I've got Wazuh 4.3 installed on 2 Oracle Linux 8.6 servers (1 Indexer and 1 Manager/Dashboard). I'd like to monitor disk usage and send an email when usage is 90%. I'm testing this on Wazuh Indexerserver.

Default rule 531 is triggered when usage is 100%.

I've opened /var/ossec/etc/rules/local_rules.xml and copied these lines at the end of the file:

<group name="Wazuh disk monitoring">
  <rule id="531" level="7" ignore="7200" overwrite="yes">
    <if_sid>530</if_sid>
    <match>ossec: output: 'df -P': /dev/</match>
    <regex>57%</regex>
    <description>Partition usage reached 57% (disk space monitor).</description>
    <group>low_diskspace,pci_dss_10.6.1,</group>
  </rule>
</group>

For the test purposes threshold is 57% because this is the disk usage on Wazuh Indexer server (Wazuh agent is installed on the server):

[root@indexer ~]# df -P
Filesystem     1024-blocks    Used  Available Capacity Mounted on
/dev/sda2         15718400 8941744    6776656      57% /

Running wazuh-logtest gives me the following output:

[root@manager]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line

ossec: output: 'df -P': /dev/sda2         15718400 8940388    6778012      57% /

**Phase 1: Completed pre-decoding.
        full event: 'ossec: output: 'df -P': /dev/sda2         15718400 8940388    6778012      57% /'

**Phase 2: Completed decoding.
        name: 'ossec'

**Phase 3: Completed filtering (rules).
        id: '531'
        level: '7'
        description: 'Partition usage reached 57% (disk space monitor).'
        groups: '['Wazuh disk monitoringlow_diskspace']'
        firedtimes: '1'
        mail: 'False'
        pci_dss: '['10.6.1']'
**Alert to be generated.

This seems fine.

I've then restarted Wazuh agent on Wazuh Indexer server and checked the /var/ossec/logs/archives/archives.log file. There I see this line:

2023 Jan 09 14:42:23 (indexer.localdomain) any->df -P ossec: output: 'df -P': /dev/sda2         15718400 8941816    6776584      57% /

I've enabled the logall option in ossec.conf file: <logall>yes</logall>

So the alert is not generated.

What am I missing here? Why rule.id 531 is not triggered when disk usage is checked on the server?

Regards

[Mariano Koremblum]

Hi Flek! (Is that your name?)

Could you please repeat the tests? But instead of using the logall option, use the logall_json one, which provides more information, and then please share the output with us. The entry should be logged into the archives.json file.

I will be waiting for your reply,

Mariano Koremblum

​

[Flek Kontrec]

Hi,

I've done it and here is the output:

{"timestamp":"2023-01-09T15:57:16.171+0100","agent":{"id":"001","name":"indexer.localdomain","ip":"10.10.10.2"},"manager":{"name":"manager"},"id":"1673276236.4145604","full_log":"ossec: output: 'df -P': /dev/sda2         15718400 8941752    6776648      57% /","decoder":{"name":"ossec"},"location":"df -P"}

[Mariano Koremblum]

Did you restart your manager as well? This is the required step for the new rule to take effect.

[Flek Kontrec]

No I haven't. There is no instruction to do it in the documentation. Now I've done it and it works... I believed testing the log entry in wazuh-logtest is enough, if it passes, that's it. Thanks for your help.

[Mariano Koremblum]

We are sorry for the inconvenience, I will report it so the documentation gets improved. The thing with wazuh-logtest is that it loads its own ruleset every time it is executed, which is why the changes took effect.

I am glad to hear that it worked :)

Do not hesitate to reach out again whenever you need us,

Mariano Koremblum

​