Sorry I wasn't more precise, I meant the full_command support.
Example:
<localfile>
<log_format>full_command</log_format>
<command>netstat -an |grep LISTEN | grep -v '127.0.0.1'</command>
<frequency>600</frequency>
<alias>netstat</alias>
</localfile>
On Wed, Jun 15, 2011 at 6:12 PM, Jeremy Lee <[email protected]> wrote:
> Are you referring to agent_control to kick off syscheck/rootcheck?
>
>
> I'm also trying to play around with the actual rootcheck binary
> (./ossec-rootcheck) to accomplish the same thing, I seem to be having issues
> getting it to recognize the test file I'm working with. I'll have to play
> with it more.
>
> On Wed, Jun 15, 2011 at 12:37 PM, dan (ddp) <[email protected]> wrote:
>>
>> You could use a command for this, and run it as often as you like.
>>
>> On Wed, Jun 15, 2011 at 12:46 PM, jplee3 <[email protected]> wrote:
>> > Hey guys,
>> >
>> > So I am researching something for our sysengs working on HPUX. We need
>> > to be able to audit a particular configuration file (or more) where a
>> > debugging flag can be added (which in turn would begin outputting
>> > files containing sensitive data to another directory on the system).
>> >
>> > Essentially, we want to be alerted if this debugging flag is ever
>> > turned on.
>> >
>> > The first thought was if there is an audit tool equivalent for HPUX
>> > (auditd or snoopy) but the syseng mentioned not as far as he knows, so
>> > that's not an immediate option.
>> >
>> > Is it possible to use OSSEC for this purpose? The only thing I can
>> > think of is using syscheck, with the 'report changes' option on, and
>> > then sending out an alert whenever the "debug" keyword is seen. But
>> > I'm not sure that would even be possible.
>> >
>> >
>> > Can anyone shed some light or offer suggestions?
>> >
>
>
