MEDIA-WIKI, MEDIA-WIKI_T, Bureaucrates, Administrateurs d’interface, Administrateurs (MediaWiki Sémantique), Conservateurs (MediaWiki Sémantique), Modificateurs (MediaWiki Sémantique), Masqueurs de modifications, Administrateurs
9 045
modifications
« LINUX:Wazuh-Décodeurs et Règles » : différence entre les versions
aucun résumé des modifications
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| Ligne 331 : | Ligne 331 : | ||
=3<sup>ème</sup> cas= | |||
---- | |||
ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 90% /disk1 | |||
| |||
ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 1O0% /disk1 | |||
---- | |||
---- | |||
Starting wazuh-logtest v4.2.5 | |||
Type one log per line | |||
| |||
ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 90% /disk1 | |||
| |||
**Phase 1: Completed pre-decoding. | |||
full event: 'ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 90% /disk1' | |||
**Phase 2: Completed decoding. | |||
name: 'ossec' | |||
**Phase 3: Completed filtering (rules). | |||
id: '530' | |||
level: '0' | |||
description: 'OSSEC process monitoring rules.' | |||
groups: '['ossec', 'process_monitor']' | |||
firedtimes: '1' | |||
mail: 'False' | |||
---- | |||
---- | |||
<localfile> | |||
<log_format>command</log_format> | |||
<command>df -P</command> | |||
<frequency>360</frequency> | |||
</localfile> | |||
---- | |||
/var/ossec/ruleset/rules/0015-ossec_rules.xml | |||
---- | |||
<group name="ossec,"> | |||
<rule id="500" level="0"> | |||
<category>ossec</category> | |||
<decoded_as>ossec</decoded_as> | |||
<description>Grouping of ossec rules.</description> | |||
</rule> | |||
<rule id="530" level="0"> | |||
<if_sid>500</if_sid> | |||
<match>^ossec: output: </match> | |||
<description>OSSEC process monitoring rules.</description> | |||
<group>process_monitor,</group> | |||
</rule> | |||
<rule id="531" level="7" ignore="7200"> | |||
<if_sid>530</if_sid> | |||
<match>ossec: output: 'df -P': /dev/</match> | |||
<regex>100%</regex> | |||
<description>Partition usage reached 100% (disk space monitor).</description> | |||
<group>low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> | |||
</rule> | |||
<rule id="532" level="0"> | |||
<if_sid>531</if_sid> | |||
<match>cdrom|/media|usb|/mount|floppy|dvd</match> | |||
<description>Ignoring external medias.</description> | |||
</rule> | |||
</group> | |||
---- | |||
---- | |||
<group name="ossec,"> | |||
<rule id="100101" level="7" ignore="7200"> | |||
<if_sid>530</if_sid> | |||
<match>ossec: output: 'df -P': /dev/</match> | |||
<regex>9\d%</regex> | |||
<description>Partition usage reached 90% (disk space monitor).</description> | |||
<group>low_diskspace,</group> | |||
</rule> | |||
</group>. | |||
---- | |||
---- | |||
Starting wazuh-logtest v4.2.5 | |||
Type one log per line | |||
| |||
ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 90% /disk1 | |||
| |||
**Phase 1: Completed pre-decoding. | |||
full event: 'ossec: output: 'df -P': /dev/mapper/vgserverdb-lvserverdb 488143996 436452180 51691816 90% /disk1' | |||
**Phase 2: Completed decoding. | |||
name: 'ossec' | |||
**Phase 3: Completed filtering (rules). | |||
id: '100101' | |||
level: '7' | |||
description: 'Partition usage reached 90% (disk space monitor).' | |||
groups: '['ossec']' | |||
firedtimes: '1' | |||
mail: 'True' | |||
**Alert to be generated. | |||
---- | |||