[ossec-list] Re: Monitoring Command Output : is there a line number limitation

Tue, 20 Dec 2011 04:32:58 -0800 

Hello Dan ,

Sorry it took some time .For the command I specified I get in
archives.log about 95 lines (copy paste the output to a text editor).
It looks like this

c:\WINDOWS\system32\cliconfg.exe NT SERVICE\TrustedInstaller:(F)
                                 BUILTIN\Administrators:(RX)
                                 NT AUTHORITY\SYSTEM:(RX)

This is actually the last entry .
So if I change permissions on something after that, lets say ftp.exe
or telnet.exe, the rule (with check_diff) doesn't work .


Thank you


On Dec 20, 2:36 am, "dan (ddp)" <[email protected]> wrote:
> On Mon, Dec 19, 2011 at 6:46 PM, BP9906 <[email protected]> wrote:
> > When I get email alerts for mine, I only get back 20 lines back. Seems
> > to be hard coded.
>
> > As an example, monitoring listened ports:
>
> > ossec: output: 'netstat -anp tcp | find "LISTEN" | find /V
> > "127.0.0.1"':
> >  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:513            0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:2201           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:2481           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:3588           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:5657           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:8779           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:9871           0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
> >  TCP    0.0.0.0:49163          0.0.0.0:0
> > Previous output:
>
> >  --END OF NOTIFICATION
>
> How many lines are passed back to the manager? (hint: use log_all)
>
>
>
>
>
>
>
>
>
> > On Dec 16, 11:30 am, "dan (ddp)" <[email protected]> wrote:
> >> How many lines do you get back exactly?
>
> >> On Tue, Dec 13, 2011 at 9:05 PM, alsdks <[email protected]> wrote:
> >> > Hello,
>
> >> > I have set up a command to monitor file permissions in Windows (Since
> >> > by default Ossec only supports POSIX ). The command for example is :
>
> >> > <localfile>
> >> >    <log_format>full_command</log_format>
> >> >    <command>icacls c:\WINDOWS\system32\*.exe</command>
> >> >    <alias>icacls</alias>
> >> >  </localfile>
>
> >> > Now the question: is there a limitation how many lines can OSSEC take
> >> > and process as the output of a command ?Because I seem to be getting
> >> > only up to  letter c of the executables located in that dir.
>
> >> > Thank you !

Reply via email to