Thanks Maarten. That seems to have disabled it!
On Friday, November 10, 2017 at 5:17:31 AM UTC-8, Maarten Broekman wrote: > > Brandon, check the ossec.conf file on that system. You probably have a > <localfile> entry in there that is running the netstat command. Just use > <!-- and --> to comment that block and restart ossec. Assuming that > configuration is only managed on that server (i.e. you don't have Puppet or > some other configuration management tool handling it), that will stop Ossec > from running it. > > --Maarten > > On Thursday, November 9, 2017 at 7:03:44 PM UTC-5, Brandon S wrote: >> >> Does anyone know of a way to disable all use of netstat by ossec agent on >> a single server? >> >> I have a server that has ossec agent on that netstat is using excessive >> CPU due to the high connections and large netstat output. >> >> I already tried disabling rootcheck in /var/ossec/etc/ossec.conf >> >> I still see ossec agent running netstat when rootcheck is confirmed >> disabled. >> >> [root@server ~]# ps aux|grep netstat >> root 2771 0.0 0.0 106076 1292 ? S 23:53 0:00 sh -c >> netstat -tulpen | sort >> root 2772 22.7 0.0 105400 1068 ? R 23:53 0:03 netstat >> -tulpen >> root 2807 0.0 0.0 103320 908 pts/1 S+ 23:53 0:00 grep >> netstat >> [root@server ~]# >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
