I would check on the server side for the creation of the diff entry. /var/ossec/queue/diff/[hostname]/[rule number]/last-entry
If it's there, then the rule has triggered. -Reggie On Oct 15, 4:24 pm, "Jefferson, Shawn" <[email protected]> wrote: > Some more information on the problem. > > Ok, I've turned on debugging and the command is definitely running, and > output is being written to the agent log file. However, it either doesn't > appear to be making it to the server or the server is ignoring it. > > I've turned up logging on the server too, but don't see anything in the > ossec.log file related to my agents sending the netstat data to the server. > > PS. running a command on Windows 2000 doesn't work, it gives an error in the > ossec.log and the service stops. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Jefferson, Shawn > Sent: Friday, October 15, 2010 10:07 AM > To: [email protected] > Subject: [ossec-list] Checking Open Ports > > I've broken this out into a separate thread. I'd really like to get this > working, but I've had no luck yet. I've upgraded my manager to 2.5.1 and one > linux client and one windows client to 2.5.1 and in the logs for each agent > there is now this: > > 2010/10/14 16:24:10 ossec-agent: INFO: Monitoring full output of > command(360): netstat -an | find "LISTEN" > and > 2010/10/14 15:58:35 ossec-logcollector: INFO: Monitoring full output of > command( > 360): netstat -tan |grep LISTEN|grep -v 127.0.0.1 > > But unfortunately, I am not receiving any alerts when open ports change. > Here's the rule I have setup on the manager in local rules: > > <rule id="105000" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat</match> > <check_diff /> > <description>Listening ports have changed.</description> > </rule> > > There is also nothing in the queue/diff directory on my manager. > > How often is the command supposed to be run on an agent? ie. how long after > the open ports change should I expect an alert? > > Why is this not working? I don't even seem to get any rule 530 firing off. > Both manager and agents have been restarted.
