On Mon, Oct 18, 2010 at 11:55 AM, Jefferson, Shawn <[email protected]> wrote: > Hi, > > What's the "logall" option? My listening ports are changing on the client(s). > > What's the mechanism for getting output of commands from the client to the > server? I am getting syscheck and rootcheck messages, but apparently not any > output of command messages (at least not that I've been able to see as of > yet.) > >
In <global> put in the option "<logall>yes</logall>" This will log all messages sent to the server in ossec/logs/archives/archive.log http://www.ossec.net/doc/syntax/head_ossec_config.reports.html The output should go to the server normally if setup in a <localfile> configuration. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Saturday, October 16, 2010 10:32 AM > To: [email protected] > Subject: RE: [ossec-list] Checking Open Ports > > It's available in 2.5.1. > You can try the logall option, it might help. > Make sure your listening ports are changing too. > > > -----Original Message----- > From: Jefferson, Shawn > Sent: 10/16/2010 12:40:21 PM > Subject: Re: [ossec-list] RE: Checking Open Ports > > Look very similar to mine. > > I put a rule for 530 in my local rules with an alert level of 7 and overwrite > yes, and do not receive any alerts for 530. > > This makes me think that either the message is not getting to the server or > not being decoded. Is there some debug I can turn on to see all the messages > being received by the server to further troubleshoot this? > > The documentation mentions that this is available in the latest snapshot. Is > that outdated? Is it available in 2.5.1? > > Thanks for your help so far! > > > ----- Original Message ----- > From: [email protected] <[email protected]> > To: [email protected] <[email protected]> > Sent: Fri Oct 15 18:34:29 2010 > Subject: Re: [ossec-list] RE: Checking Open Ports > > On Fri, Oct 15, 2010 at 6:13 PM, Jefferson, Shawn > <[email protected]> wrote: >> I don't, not a single one. Can you point me in the right direction to >> figure out why not? >> > > The only thing I can think of doing is providing my configurations. > From ossec.conf on the manager: > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command> > </localfile> > > > From agent.conf: > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN | grep -v '127.0.0.1'</command> > </localfile> > > In local_rules.xml: > <!--OTHER RULES 51000+--> > <rule id="510000" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan |grep LISTEN</match> > <check_diff /> > <description>Listened ports have changed.</description> > </rule> > >
