Nothing that I can see. Even with -d it goes into the background. DEBUG messages are logged to ossec.log
On Wed, Nov 3, 2010 at 12:30 PM, Tim Eberhard <[email protected]> wrote: > What am I missing here? > > r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d > 2010/11/03 09:29:47 ossec-logcollector: DEBUG: Starting ... > r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -dt > 2010/11/03 09:29:57 ossec-logcollector: DEBUG: Starting ... > r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t > 2010/11/03 09:30:00 ossec-logcollector: DEBUG: Starting ... > r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t -c > /var/ossec/etc/ossec.conf > 2010/11/03 09:30:10 ossec-logcollector: DEBUG: Starting ... > > > > On Wed, Nov 3, 2010 at 10:07 AM, dan (ddp) <[email protected]> wrote: >> Try running logcollector in debug mode. >> Try it with 1 full_command to see if you can get that working. I >> recommend the ones that aren't quite so system intensive. >> >> Here's my setup: >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -an |grep LISTEN | grep -v '127.0.0.1'</command> >> </localfile> >> >> <rule id="510000" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'netstat -an |grep LISTEN</match> >> <check_diff /> >> <description>Listened ports have changed.</description> >> </rule> >> >> This works for me. >> >> On Wed, Nov 3, 2010 at 10:59 AM, Tim Eberhard <[email protected]> wrote: >>> I removed that extra white space and it doesn't appear to have helped >>> anything. Checking the log file.. >>> >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>> of command(360): netstat -tan |grep LISTEN | grep -v$ >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>> of command(360): awk -F: '($3 == "0") {print}' /etc/$ >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>> of command(360): rpm -qa >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>> of command(360): awk -F: '($2 == "") {print}' /etc/s$ >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>> of command(360): find / -user root -perm -4000 -print >>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Started (pid: 21501). >>> >>> What is the next step in troubleshooting custom rules like this? I >>> apologize if this is a standard question.. if someone would show me >>> how to go about this I'll do my best to spoon feed myself :) >>> >>> Thanks again for your help, >>> -Tim Eberhard >>> >>> >>> On Tue, Nov 2, 2010 at 7:57 PM, Tim Eberhard <[email protected]> wrote: >>>> That's how it sits today. I'll remove them and see if that helps things at >>>> all. >>>> >>>> >>>> >>>> On Tue, Nov 2, 2010 at 3:23 PM, dan (ddp) <[email protected]> wrote: >>>>> On Tue, Nov 2, 2010 at 4:13 PM, Tim Eberhard <[email protected]> wrote: >>>>>> [My apologies for posting this to ossec-dev. I typed in the wrong >>>>>> google group. This was intended for ossec-list] >>>>>> >>>>>> All, >>>>>> >>>>>> I've been trying to write some rules for my lab OSSEC box and test >>>>>> them before we roll OSSEC out to production. I'm having some problems >>>>>> writing rules when using the full command. I've tried to follow the >>>>>> examples written here: >>>>>> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html >>>>>> >>>>>> But it seems all my added checks/rules don't work properly. >>>>>> >>>>>> Basic info: >>>>>> -Linux - 2.6.18-128.1.6.el5 >>>>>> -OSSEC 2.5.1 >>>>>> -Stand alone server >>>>>> >>>>>> Here is the example rule I've been trying to get to work... >>>>>> >>>>>> Check for changes to the system start up services >>>>>> ossec.conf: >>>>>> <localfile> >>>>>> <log_format>full_command</log_format> >>>>>> <command> /sbin/chkconfig --list | grep '3:on'</command> >>>>> >>>>> Is the space in the <command> above intentional or a paste-o? I don't >>>>> know if it will affect the output or not... >>>>> >>>>>> </localfile> >>>>>> >>>>>> In local_rules.xml: >>>>>> <rule id="510004" level="7"> >>>>>> <if_sid>530</if_sid> >>>>>> <match>ossec: output: ‘/sbin/chkconfig </match> >>>>>> <check_diff /> >>>>>> <description>The system start up services have changed</description> >>>>>> </rule> >>>>>> >>>>>> >>>>>> Upon changing the start up and removing an item I get an alert when >>>>>> OSSEC notices the start up script file change..It just doesn't seem to >>>>>> fire off my alert that I have configured. >>>>>> >>>>>> OSSEC HIDS Notification. >>>>>> 2010 Nov 02 07:16:40 >>>>>> Received From: ossec->syscheck >>>>>> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." >>>>>> Portion of the log(s): >>>>>> >>>>>> File '/etc/rc.d/rc0.d/K03yum-updatesd' was deleted. Unable to retrieve >>>>>> checksum. >>>>>> --END OF NOTIFICATION >>>>>> >>>>>> >>>>>> Anyone care to tell me what obvious item I'm missing? This holds true >>>>>> for half a dozen items that I am using full_command for and trying to >>>>>> check. Another example is below: >>>>>> >>>>>> >>>>>> Check for changes to the SUID binaries >>>>>> ossec.conf: >>>>>> <localfile> >>>>>> <log_format>full_command</log_format> >>>>>> <command> find / -user root -perm -4000 -print</command> >>>>>> </localfile> >>>>>> >>>>>> In local_rules.xml: >>>>>> <rule id="510005" level="7"> >>>>>> <if_sid>530</if_sid> >>>>>> <match>ossec: output: ‘find / -user root </match> >>>>>> <check_diff /> >>>>>> <description>SUID root binaries have been changed</description> >>>>>> </rule> >>>>>> >>>>>> >>>>>> Thanks for any assistance/input you can provide. >>>>>> -Tim Eberhard >>>>>> >>>>> >>>> >>> >> >
