Kevin, I like your approach in keeping a filter on the host machine to specify the output expected (the listening ports) as opposed to trying to modify OSSEC itself. Not sure if we have a community filter like this for windows but I wouldn’t mind writing a powershell version of this for windows and posting to the group.
Devon J. Greene From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Kelly Sent: Thursday, January 16, 2014 1:55 PM To: [email protected] Subject: Re: [ossec-list] full_command netstat and other output in alerts.log file This is what I am using: cat netstat_filter.sh awk '$NF != "LISTEN" || $4 ~ /^127\.0\.0\./ { next } { n = split($4, wk, ":" ) } { in_use[wk[n]] = 1 } END { for ( port in in_use ) { printf("%d\n", port) } }' | sort -n | sed -e :a -e N -e 's/\n/ /' -e ta netstat -tan | /netstat_filter.sh 22 25 80 111 443 662 10050 20031 45525 <localfile> <log_format>full_command</log_format> <command>netstat -tan | /netstat_filter.sh</command> </localfile> -- Kevin Kelly Director, Network Technology Whitman College ________________________________ From: "Marcin Liszka" <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Sent: Thursday, January 16, 2014 10:20:33 AM Subject: [ossec-list] full_command netstat and other output in alerts.log file Hallo every body I have a question. I need to monitor runnig services on ossec agents (Ossec version 2.7.1). I found the problem in ossec server that the output from full_command (system command for example is "netstat -ntlp" or "chckconfig") is truncated in alerts.log file. in alerts.log ther is no full output from the command netstat and their previus state. So administrator can't check what was changed in the system from alert arrived. Is it posible to change it (alert body size or something similar variable)??? Is there any solution to see full information in alerts.log like in /var/ossec/diff/[hostname]/[rule_id]/ folder??? Thanks for any idea -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. ________________________________ CONFIDENTIALITY NOTICE: This electronic communication (email), including any attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C. §§2510 – 2521; is confidential; and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution or copying of this electronic communication is strictly prohibited. Please reply to the sender that you received this message in error and then delete or otherwise destroy any and all copies of this electronic communication. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
