On Tue, Dec 20, 2011 at 11:52 AM, BP9906 <[email protected]> wrote: > The alerts.log contains both the output and previous output. The email > does not. > > Whats the log_all option you refer to? I couldnt find any reference to > it online. >
I meant logall. I apparently get those mixed up. > On Dec 19, 4:36 pm, "dan (ddp)" <[email protected]> wrote: >> On Mon, Dec 19, 2011 at 6:46 PM, BP9906 <[email protected]> wrote: >> > When I get email alerts for mine, I only get back 20 lines back. Seems >> > to be hard coded. >> >> > As an example, monitoring listened ports: >> >> > ossec: output: 'netstat -anp tcp | find "LISTEN" | find /V >> > "127.0.0.1"': >> > TCP 0.0.0.0:80 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:443 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:513 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:2201 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:2481 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:3588 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:5657 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:8779 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:9871 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING >> > TCP 0.0.0.0:49163 0.0.0.0:0 >> > Previous output: >> >> > --END OF NOTIFICATION >> >> How many lines are passed back to the manager? (hint: use log_all) >> >> >> >> >> >> >> >> >> >> > On Dec 16, 11:30 am, "dan (ddp)" <[email protected]> wrote: >> >> How many lines do you get back exactly? >> >> >> On Tue, Dec 13, 2011 at 9:05 PM, alsdks <[email protected]> wrote: >> >> > Hello, >> >> >> > I have set up a command to monitor file permissions in Windows (Since >> >> > by default Ossec only supports POSIX ). The command for example is : >> >> >> > <localfile> >> >> > <log_format>full_command</log_format> >> >> > <command>icacls c:\WINDOWS\system32\*.exe</command> >> >> > <alias>icacls</alias> >> >> > </localfile> >> >> >> > Now the question: is there a limitation how many lines can OSSEC take >> >> > and process as the output of a command ?Because I seem to be getting >> >> > only up to letter c of the executables located in that dir. >> >> >> > Thank you !
