It's available in 2.5.1. You can try the logall option, it might help. Make sure your listening ports are changing too.
-----Original Message----- From: Jefferson, Shawn Sent: 10/16/2010 12:40:21 PM Subject: Re: [ossec-list] RE: Checking Open Ports Look very similar to mine. I put a rule for 530 in my local rules with an alert level of 7 and overwrite yes, and do not receive any alerts for 530. This makes me think that either the message is not getting to the server or not being decoded. Is there some debug I can turn on to see all the messages being received by the server to further troubleshoot this? The documentation mentions that this is available in the latest snapshot. Is that outdated? Is it available in 2.5.1? Thanks for your help so far! ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Oct 15 18:34:29 2010 Subject: Re: [ossec-list] RE: Checking Open Ports On Fri, Oct 15, 2010 at 6:13 PM, Jefferson, Shawn <[email protected]> wrote: > I don't, not a single one. Can you point me in the right direction to figure > out why not? > The only thing I can think of doing is providing my configurations. >From ossec.conf on the manager: <localfile> <log_format>full_command</log_format> <command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command> </localfile> >From agent.conf: <localfile> <log_format>full_command</log_format> <command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command> </localfile> In local_rules.xml: <!--OTHER RULES 51000+--> <rule id="510000" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'netstat -tan |grep LISTEN</match> <check_diff /> <description>Listened ports have changed.</description> </rule>
