Some more information on the problem. Ok, I've turned on debugging and the command is definitely running, and output is being written to the agent log file. However, it either doesn't appear to be making it to the server or the server is ignoring it.
I've turned up logging on the server too, but don't see anything in the ossec.log file related to my agents sending the netstat data to the server. PS. running a command on Windows 2000 doesn't work, it gives an error in the ossec.log and the service stops. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jefferson, Shawn Sent: Friday, October 15, 2010 10:07 AM To: [email protected] Subject: [ossec-list] Checking Open Ports I've broken this out into a separate thread. I'd really like to get this working, but I've had no luck yet. I've upgraded my manager to 2.5.1 and one linux client and one windows client to 2.5.1 and in the logs for each agent there is now this: 2010/10/14 16:24:10 ossec-agent: INFO: Monitoring full output of command(360): netstat -an | find "LISTEN" and 2010/10/14 15:58:35 ossec-logcollector: INFO: Monitoring full output of command( 360): netstat -tan |grep LISTEN|grep -v 127.0.0.1 But unfortunately, I am not receiving any alerts when open ports change. Here's the rule I have setup on the manager in local rules: <rule id="105000" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'netstat</match> <check_diff /> <description>Listening ports have changed.</description> </rule> There is also nothing in the queue/diff directory on my manager. How often is the command supposed to be run on an agent? ie. how long after the open ports change should I expect an alert? Why is this not working? I don't even seem to get any rule 530 firing off. Both manager and agents have been restarted.
