forked from branchnetconsulting/wazuh-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dropcount-analysisd
58 lines (54 loc) · 2.44 KB
/
dropcount-analysisd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/bin/bash
#
# dropcount-analysisd
#
# Track Wazuh manager analysisd event drops.
#
# The /var/ossec/var/run/wazuh-analysisd.state file where wazuh-analysisd natively reports event drops only contains
# the count for the last 5 seconds by default. This script polls that file every 5 seconds and maintains an accumulating counter
# which it updates to disk every minute (/var/ossec/var/run/analysisd.drops)
# and also writes an hourly log update to /var/ossec/logs/dropcount-analysisd.log.
#
if [ ! -f /var/ossec/var/run/analysisd.drops ]; then
echo 0 > /var/ossec/var/run/analysisd.drops
fi
if [ ! -f /var/ossec/var/run/analysisd.rcvd ]; then
echo 0 > /var/ossec/var/run/analysisd.rcvd
fi
if [ ! -f /var/ossec/var/run/analysisd.drops.hourly ]; then
echo 0 > /var/ossec/var/run/analysisd.drops.hourly
fi
if [ ! -f /var/ossec/var/run/analysisd.rcvd.hourly ]; then
echo 0 > /var/ossec/var/run/analysisd.rcvd.hourly
fi
TDROPS=`cat /var/ossec/var/run/analysisd.drops`
TRCVD=`cat /var/ossec/var/run/analysisd.rcvd`
i=0
while true; do
if [ -f /var/ossec/var/run/wazuh-analysisd.state ]; then
LDROPS=`cat /var/ossec/var/run/wazuh-analysisd.state | grep "events_dropped" | cut -d\' -f2`
LRCVD=`cat /var/ossec/var/run/wazuh-analysisd.state | grep "events_received" | cut -d\' -f2`
else
LDROPS=0
LRCVD=0
fi
((TDROPS=$TDROPS+$LDROPS))
((TRCVD=$TRCVD+$LRCVD))
sleep 5
((mod=$i%12))
if [ $mod == 0 ]; then
#echo "Write to file $TDROPS"
echo $TDROPS > /var/ossec/var/run/analysisd.drops
echo $TRCVD > /var/ossec/var/run/analysisd.rcvd
fi
((mod=$i%720))
if [ $mod == 0 ]; then
#echo "Write hourly to file $TDROPS"
((DROPSDELTA=`cat /var/ossec/var/run/analysisd.drops`-`cat /var/ossec/var/run/analysisd.drops.hourly`))
((RCVDDELTA=`cat /var/ossec/var/run/analysisd.rcvd`-`cat /var/ossec/var/run/analysisd.rcvd.hourly`))
date +"%c - Total $TDROPS drops of $TRCVD events received. Last hour $DROPSDELTA drops of $RCVDDELTA events received." >> /var/ossec/logs/dropcount-analysisd.log
cat /var/ossec/var/run/analysisd.drops > /var/ossec/var/run/analysisd.drops.hourly
cat /var/ossec/var/run/analysisd.rcvd > /var/ossec/var/run/analysisd.rcvd.hourly
fi
((i=$i+1))
done