I've broken this out into a separate thread. I'd really like to get this working, but I've had no luck yet. I've upgraded my manager to 2.5.1 and one linux client and one windows client to 2.5.1 and in the logs for each agent there is now this:
2010/10/14 16:24:10 ossec-agent: INFO: Monitoring full output of command(360): netstat -an | find "LISTEN" and 2010/10/14 15:58:35 ossec-logcollector: INFO: Monitoring full output of command( 360): netstat -tan |grep LISTEN|grep -v 127.0.0.1 But unfortunately, I am not receiving any alerts when open ports change. Here's the rule I have setup on the manager in local rules: <rule id="105000" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'netstat</match> <check_diff /> <description>Listening ports have changed.</description> </rule> There is also nothing in the queue/diff directory on my manager. How often is the command supposed to be run on an agent? ie. how long after the open ports change should I expect an alert? Why is this not working? I don't even seem to get any rule 530 firing off. Both manager and agents have been restarted.
