[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] adsl rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] adsl rule
From: Martin West <martin@xxxxxxxxxxxxxxxx>
Date: Sat, 07 Apr 2007 23:58:18 +0100
Content-transfer-encoding: 7bit

I wrote a rule 

<group name="local,syslog,">

  <rule id="101000" level="0" noalert="1">
      <decoded_as>adsl</decoded_as>
      <description>Grouping for the adsl rules.</description>
  </rule>

    <rule id="101001" level="8">
      <if_sid>101000</if_sid>
      <description>Monitor adsl line down</description>
      <match>ADSL line is down</match>
    </rule>

    <rule id="101002" level="8">
      <if_sid>101000</if_sid>
      <description>Monitor adsl line up</description>
      <match>ADSL line is up</match>
    </rule>

</group> <!-- SYSLOG,LOCAL -->

to check for log entries ...

Apr  7 16:57:02 thecla2 kernel: ATM dev 0: ADSL line is down
Apr  7 16:57:03 thecla2 kernel: ATM dev 0: ADSL line is synchronising
Apr  7 16:57:43 thecla2 kernel: ATM dev 0: ADSL line is up (2656 kb/s
down | 448 kb/s up)

However it does seem to trigger, well at least generate an email.

It gets loaded ...

2007/04/04 23:44:34 ossec-analysisd: Reading rules file:
'adsl_rules.xml'

Is it just me or is the documentation a bit sparse?

Thanks Martin West

Follow-Ups:
- [ossec-list] Re: adsl rule
  - From: Daniel Cid

References:
- [ossec-list] SVN v. OSSEC
  - From: Steven Ourada
- [ossec-list] Re: SVN v. OSSEC
  - From: Martin West

Prev by Date: [ossec-list] Re: SVN v. OSSEC
Next by Date: [ossec-list] Re: adsl rule
Previous by thread: [ossec-list] Re: SVN v. OSSEC
Next by thread: [ossec-list] Re: adsl rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.