Hello list!
OSSEC can "cut" some data from 'full_command' output.
this is from ossec-alerts.log
ossec: output: 'tcp_netstat':
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
tcp 0 0 0.0.0.0:22
0.0.0.0:* LISTEN 2743/sshd
tcp 0 0 0.0.0.0:443
0.0.0.0:* LISTEN 4865/nginx
tcp 0 0 0.0.0.0:587
0.0.0.0:* LISTEN 2623/rsyslogd
tcp 0 0 0.0.0.0:80
0.0.0.0:* LISTEN 12159/ossec-authd
tcp 0 0 ::1:25
:::* LISTEN 2996/master
tcp 0 0 127.0.0.1:25
0.0.0.0:* LISTEN 2996/master
tcp 0 0 127.0.0.1:27017
0.0.0.0:* LISTEN 5132/mongod
tcp 0 0 127.0.0.1:3306
0.0.0.0:* LISTEN 2885/mysqld
tcp 0 0 127.0.0.1:3333
0.0.0.0:* LISTEN 8089/uwsgi
tcp 0 0 :::587
:::* LISTEN 2623/r
and this is from ossec-alerts.log
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
tcp 0 0 0.0.0.0:22
0.0.0.0:* LISTEN 2743/sshd
tcp 0 0 0.0.0.0:443
0.0.0.0:* LISTEN 4865/nginx
tcp 0 0 0.0.0.0:587
0.0.0.0:* LISTEN 2623/rsyslogd
tcp 0 0 ::1:25
:::* LISTEN 2996/master
tcp 0 0 127.0.0.1:25
0.0.0.0:* LISTEN 2996/master
tcp 0 0 127.0.0.1:27017
0.0.0.0:* LISTEN 5132/mongod
tcp 0 0 127.0.0.1:3306
0.0.0.0:* LISTEN 2885/mysqld
tcp 0 0 127.0.0.1:3333
0.0.0.0:* LISTEN 8089/uwsgi
tcp 0 0 :::587
:::* LISTEN 2623/rsyslogd
Last string from /var/ossec/logs/ossec.log
tcp 0 0 :::587
:::* LISTEN 2623/rsyslogd
and last string from /var/ossec/logs/alerts/ossec-alerts
tcp 0 0 :::587
:::* LISTEN 2623/r
Also,check_diff dont works properly due this issue.
I think it's bug.
My ossec is 2.8 (rpm from Atomic repo)
part of my config:
<localfile>
<alias>tcp_netstat</alias>
<log_format>full_command</log_format>
<command>netstat -tpln |sort</command>
</localfile>
Thank you!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
