Re: [ossec-list] strange in 'full_command' output

Thu, 28 Jan 2016 15:13:47 -0800 

list,sorry for typo

the first example is not "from ossec-alerts.log" but "from ossec.log"

cheers.


On 29.01.2016 01:49, q wrote:
> Hello list!
>
> OSSEC can "cut" some data from 'full_command' output.
>
>
>
> this is from ossec-alerts.log
>
> ossec: output: 'tcp_netstat':
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address               Foreign
> Address             State       PID/Program name  
> tcp        0      0 0.0.0.0:22                 
> 0.0.0.0:*                       LISTEN      2743/sshd          
> tcp        0      0 0.0.0.0:443                
> 0.0.0.0:*                       LISTEN      4865/nginx         
> tcp        0      0 0.0.0.0:587                
> 0.0.0.0:*                       LISTEN      2623/rsyslogd      
> tcp        0      0 0.0.0.0:80                 
> 0.0.0.0:*                       LISTEN      12159/ossec-authd  
> tcp        0      0 ::1:25                             
> :::*                            LISTEN      2996/master        
> tcp        0      0 127.0.0.1:25               
> 0.0.0.0:*                      LISTEN      2996/master        
> tcp        0      0 127.0.0.1:27017            
> 0.0.0.0:*                   LISTEN      5132/mongod        
> tcp        0      0 127.0.0.1:3306             
> 0.0.0.0:*                    LISTEN      2885/mysqld        
> tcp        0      0 127.0.0.1:3333             
> 0.0.0.0:*                    LISTEN      8089/uwsgi         
> tcp        0      0 :::587                                 
> :::*                        LISTEN      2623/r
>
>
>
> and this is from ossec-alerts.log
>
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address               Foreign
> Address             State       PID/Program name  
> tcp        0      0 0.0.0.0:22                      
> 0.0.0.0:*                   LISTEN      2743/sshd          
> tcp        0      0 0.0.0.0:443                    
> 0.0.0.0:*                   LISTEN      4865/nginx         
> tcp        0      0 0.0.0.0:587                    
> 0.0.0.0:*                   LISTEN      2623/rsyslogd      
> tcp        0      0 ::1:25                             
> :::*                            LISTEN      2996/master        
> tcp        0      0 127.0.0.1:25                  
> 0.0.0.0:*                   LISTEN      2996/master        
> tcp        0      0 127.0.0.1:27017            
> 0.0.0.0:*                   LISTEN      5132/mongod        
> tcp        0      0 127.0.0.1:3306              
> 0.0.0.0:*                   LISTEN      2885/mysqld        
> tcp        0      0 127.0.0.1:3333              
> 0.0.0.0:*                   LISTEN      8089/uwsgi         
> tcp        0      0 :::587                             
> :::*                            LISTEN      2623/rsyslogd 
>
>
>
> Last string from /var/ossec/logs/ossec.log
> tcp        0      0 :::587                             
> :::*                            LISTEN      2623/rsyslogd 
>
>
> and last string from /var/ossec/logs/alerts/ossec-alerts
> tcp        0      0 :::587                                 
> :::*                        LISTEN      2623/r
>
>
>
> Also,check_diff dont works properly due this issue.
> I think it's bug.
>
>
>
> My ossec is 2.8 (rpm from Atomic repo)
>
> part of my config:
>
> <localfile>
>         <alias>tcp_netstat</alias>
>         <log_format>full_command</log_format>
>         <command>netstat -tpln |sort</command>
> </localfile>
>
>
>
> Thank you!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to