Brandon, check the ossec.conf file on that system. You probably have a <localfile> entry in there that is running the netstat command. Just use <!-- and --> to comment that block and restart ossec. Assuming that configuration is only managed on that server (i.e. you don't have Puppet or some other configuration management tool handling it), that will stop Ossec from running it.
--Maarten On Thursday, November 9, 2017 at 7:03:44 PM UTC-5, Brandon S wrote: > > Does anyone know of a way to disable all use of netstat by ossec agent on > a single server? > > I have a server that has ossec agent on that netstat is using excessive > CPU due to the high connections and large netstat output. > > I already tried disabling rootcheck in /var/ossec/etc/ossec.conf > > I still see ossec agent running netstat when rootcheck is confirmed > disabled. > > [root@server ~]# ps aux|grep netstat > root 2771 0.0 0.0 106076 1292 ? S 23:53 0:00 sh -c > netstat -tulpen | sort > root 2772 22.7 0.0 105400 1068 ? R 23:53 0:03 netstat > -tulpen > root 2807 0.0 0.0 103320 908 pts/1 S+ 23:53 0:00 grep > netstat > [root@server ~]# > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
