Here are some additional Nagios Plugins that might be useful if you are monitoring Security Analytics via Nagios. They are mainly used for graphing rather than warning but they could be easily adapted.@
They use the check_by_ssh command to run the scripts remotely on the different appliances.
$USER1$/check_by_ssh -H $HOSTADDRESS$ ./index-profile-1.2-nagios.pl -l root -t 60
The scripts are a combination of work from colleagues (Lee Kirkpatrick Maxim Siyazov Davide Veneziano) and my own efforts.
Note these scripts have the admin netwitness credentials hardcoded inside them, which is not best security practise!
Script to Get Current Log Decoder Capture Rate
Command Line: ./getEPS_logdecoder.sh
Example Output: capture rate: 0|capture_rate=0;;
Install on: Log Decoder
Script to get Log Collection EPS
Install on Log Collector
Command Line: ./getEPS_nagios.sh
Example Output: Syslog: 0 SDEE: 0 Windows: 0 Checkpoint: 0 VMWare: 0 File: 0 Netflow: 0 ODBC: Total: 0|Syslog=0 SDEE=0 Windows=0 Checkpoint=0 VMWare=0 File=0 Netflow=0 ODBC=0 Total=0;;
Script to Monitor Warehouse Streams Behind Value
Install on Warehouse Connector
Command Line: ./get_Warehouse.sh
Example Output: Elastic3: 28815 LogStream3: 8404 PacketStream3: 1860 |Elastic3=28815 LogStream3=8404 PacketStream3=1860 ;;
Script to Monitor Index Keys that are over 70% Full
Install on Concentrator
Command Line: ./index-profile-1.2-nagios.pl
Example Output: param=100.00% user.session=100.00% stransport=90.61% ip.srcport=82.57% |param=100.00% user.session=100.00% stransport=90.61% ip.srcport=82.57% ;;