I was looking to see if anything was trying to connect to it. You could run on the server:
tcpdump -ni eth0 port 1514 To see if you see the other systems trying to talk to the server. On Thu, Dec 2, 2010 at 20:10, <[email protected]> wrote: >> Can you show the logs from the server please. > > Sure, but I have it running in debug mode, so it's pretty verbose. The last > page is shown below, but if you want me to search for a specific pattern, > please let me know. > > Thanks, > Scott > > > 2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 1" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 checking file: /etc/fedora-release > 2010/12/02 08:57:16 starting new file: /etc/fedora-release > 2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur). > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 2" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 checking file: /etc/fedora-release > 2010/12/02 08:57:16 starting new file: /etc/fedora-release > 2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur). > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 3" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 checking file: /etc/fedora-release > 2010/12/02 08:57:16 starting new file: /etc/fedora-release > 2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur). > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 4" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 checking file: /etc/fedora-release > 2010/12/02 08:57:16 starting new file: /etc/fedora-release > 2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur). > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 5" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on check_rc_unixaudit > 2010/12/02 08:57:16 checking file: /etc/redhat-release > 2010/12/02 08:57:16 starting new file: /etc/redhat-release > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^Red Hat Enterprise Linux \S+ release 5" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 checking file: /etc/redhat-release > 2010/12/02 08:57:16 starting new file: /etc/redhat-release > 2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)" > 2010/12/02 08:57:16 Pattern == "r:^CentOS && r:release 5.2" > 2010/12/02 08:57:16 pt_result == 0 and full_negate == 0 > 2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Going into check_rc_dev > 2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on check_rc_dev > 2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Going into check_rc_sys > 2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on check_rc_sys > 2010/12/02 08:58:27 ossec-rootcheck: DEBUG: Going into check_rc_pids > 2010/12/02 09:16:43 ossec-rootcheck: DEBUG: Going into check_rc_ports > 2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Going into check_open_ports > 2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Going into check_rc_if > 2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Completed with all checks. > 2010/12/02 09:17:12 ossec-rootcheck: INFO: Ending rootcheck scan. > 2010/12/02 09:17:12 ossec-rootcheck: DEBUG: Leaving run_rk_check > > > I tried the following greps: > > [r...@ackbar logs]# cat ossec.log | grep -i skywarp > [r...@ackbar logs]# cat ossec.log | grep -i wombat > [r...@ackbar logs]# cat ossec.log | grep -i agent > 2010/12/02 07:54:02 Buf == "; user_agent="PHP"" > 2010/12/02 07:54:02 Buf == "; Define the User-Agent string" > 2010/12/02 07:54:02 Buf == "; user_agent="PHP"" > 2010/12/02 08:57:09 Buf == "; Define the User-Agent string" > 2010/12/02 08:57:09 Buf == "; user_agent="PHP"" > 2010/12/02 08:57:09 Buf == "; Define the User-Agent string" > 2010/12/02 08:57:09 Buf == "; user_agent="PHP"" > > -- Registered Linux User # 379282
