forked from OpenSecureCo/Demos
-
Notifications
You must be signed in to change notification settings - Fork 0
/
healthcheck_rules.xml
50 lines (50 loc) · 1.74 KB
/
healthcheck_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<group name="wazuh,healthcheck">
<rule id="100010" level="5">
<decoded_as>json</decoded_as>
<field name="healthy">\.+</field>
<description>Wazuh Health Check</description>
<options>no_full_log</options>
</rule>
<rule id="100011" level="5">
<if_sid>100010</if_sid>
<field name="healthy">yes</field>
<description>All Wazuh Services Are Healthy</description>
<options>no_full_log</options>
</rule>
<rule id="100012" level="5">
<if_sid>100010</if_sid>
<field name="healthy">attempting_restart</field>
<description>Wazuh Service $(wazuhprocess) is in a failed state. Attempting a restart</description>
<options>no_full_log</options>
</rule>
<rule id="100013" level="12">
<if_sid>100010</if_sid>
<field name="healthy">no</field>
<description>Wazuh Service $(wazuhprocess) is in a failed state</description>
<options>no_full_log</options>
</rule>
<rule id="100014" level="5">
<decoded_as>json</decoded_as>
<field name="cpu">\.+</field>
<description>Metrics Health Check</description>
<options>no_full_log</options>
</rule>
<rule id="100015" level="12">
<if_sid>100014</if_sid>
<field name="ram">^8\.+|^9\.+|^100\.+</field>
<description>Memory Usage is High $(ram)</description>
<options>no_full_log</options>
</rule>
<rule id="100016" level="12">
<if_sid>100014</if_sid>
<field name="cpu">^8\.+|^9\.+|^100\.+</field>
<description>CPU Usage is High $(cpu)</description>
<options>no_full_log</options>
</rule>
<rule id="100017" level="12">
<if_sid>100014</if_sid>
<field name="disk">^7\.+|^8\.+|^9\.+|^100\.+</field>
<description>Disk Space is Running Low $(disk)</description>
<options>no_full_log</options>
</rule>
</group>