Imunify360: OSSEC and system events in the Incidents tab

Issue

• I see this through "Events & incidents lookup"
  

  Jul 14 03:40:36 vps spamd[167527]: spamd: server killed by SIGTERM, shutting down

  Why is spamd killed and how can I whitelist this process?
  
  
• I am getting the following incidents:

  Oct 3 12:20:17 ns3 kernel: Memory cgroup out of memory: Kill process 1624557 (lsphp) score 172 or sacrifice child

• In the UI the issue could look as follows:

or

Applies to

• Imunify360
• OSSEC

Resolution

Imunify360 uses OSSEC as a source of system events. OSSEC parses a lot of system logs and they are shown in the Incidents tab in the Imunify360 UI.
By default, system events with low severity have the following log levels:

• 04 – System low priority error
• 03 – Successful/Authorized events

Additional information about log levels:

• https://docs.imunify360.com/dashboard/#incidents-logging
• https://www.ossec.net/docs/manual/rules-decoders/rule-levels.html 

So, this means that OSSEC shows events that happened on your server and that have a "notification" status for the server administrator.

In case you consider it necessary to check them, you can get more details about these events by checking the system logs and find relevant events on them.

Also, you can adjust the Log Level and set the desirable gradation scale (from 1 to 15) in the Imunify360 Settings, as described here: https://docs.imunify360.com/dashboard/#incidents-logging.