Disk space utilization local rules

[Roman S]

Hi, Team, please help me. I configured this alert:
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/use-cases/disk-space-utilization.html

I decided to improve it a little. I want to receive a notification about resolving the disk full issue, but this rule 100016 message appears every update interval. Any ideas on how to fix this? I've already tried everything I could, and it seems I'll have to use the default configuration without the conflict resolution messages. Slack notifys enabled from 9 level. Sorry for my not very good English, I'm not a native speaker.

local_rules.xml
 <group name="disk_space_utilization,">
  <rule id="100015" level="12">
    <decoded_as>disk-usage</decoded_as>
    <field name="filesystem">^/dev/mapper/</field>
    <field name="usage">^9\d|^8\d|^7[5-9]</field>
    <description> CRITICAL: Usage $(usage)% of $(filesystem) partition exceeded 75%.</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100016" level="9" maxsize="1">
    <decoded_as>disk-usage</decoded_as>
    <field name="filesystem">^/dev/mapper/</field>
    <field name="usage" negate="yes">^9\d|^8\d|^7[5-9]</field>
    <description> RESOLVED: Disk usage normalized - $(usage)% of $(filesystem) partition is below 75%.</description>
    <options>no_full_log</options>
  </rule>
</group>

[Md. Nazmur Sakib]

Hi Roman,

In this scenario, command monitoring is running this command.
Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}

And getting a number output.
And you have rules based on the log pattern to trigger an alert when you find a number less than 75,
As most of the time, the alert is less than 75%, you are getting repetitive alerts.


I can give you some suggestions on this.

1. If you only keep rules for triggering an alert when the usage is 80% or above, and if there are no alerts, you can consider that you do not have high disk usage.

2. Now, another solution is to ignore the alert for a time range once it is triggered.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule:~:text=1%20to%2099999-,ignore,-Definition

<rule id="XXXXXXX" level="X" ignore="60">

3. Another option will be to run a script on the endpoint
https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/configuration.html
The script will run this command.
Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}

And run the output in a log file in syslog or JSON format.

The logic will be
If  (no logs in the log file):
    Add this output.
else (there is a log in the log file):
            Read the log file and compare the current output with the last log.

Now compare the current log output and the last log output.

Do not write a log with below 75% if the last log is also about below 75%.
So now you will not have two logs one after another, with a value below 75%

Now read that log file with localfile to forward it to Wazuh.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html

If you do not want to complicate it, I suggest you use the first one, and if you want to have an alert when the disk gets back to normal, follow the last solution.

Let me know if you need any further information.