Disabling ossec use of netstat

[Brandon S]

Does anyone know of a way to disable all use of netstat by ossec agent on a single server?   

I have a server that has ossec agent on that netstat is using excessive CPU due to the high connections and large netstat output.

I already tried disabling rootcheck in /var/ossec/etc/ossec.conf

I still see ossec agent running netstat when rootcheck is confirmed disabled.

[root@server ~]# ps aux|grep netstat

root      2771  0.0  0.0 106076  1292 ?        S    23:53   0:00 sh -c netstat -tulpen | sort

root      2772 22.7  0.0 105400  1068 ?        R    23:53   0:03 netstat -tulpen

root      2807  0.0  0.0 103320   908 pts/1    S+   23:53   0:00 grep netstat

[root@server ~]#

[Maarten Broekman]

Brandon, check the ossec.conf file on that system. You probably have a <localfile> entry in there that is running the netstat command. Just use <!-- and --> to comment that block and restart ossec. Assuming that configuration is only managed on that server (i.e. you don't have Puppet or some other configuration management tool handling it), that will stop Ossec from running it.

--Maarten

[Brandon S]

Thanks Maarten.   That seems to have disabled it!