commands output

[Aj Navarro]

I see ossec its monitoring the next commands:

 

ossec-logcollector: INFO: Monitoring output of command(360): df -h
ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5
ossec-logcollector: INFO: Monitoring full output of command(360): history

why if i execute any of this commands, i cannot see the output in the wui?

 

 

[Santiago Bassett]

Try using "logall" option for ossec.conf (on the manager). You should be able to see the output in /var/ossec/logs/archives/archives.log

I am not very familiar with OSSEC WUI, but I don't think is designed so you can see the output there. Can you see alerts there? If so, try creating a rule to trigger an alert for those commands.

I hope it helps,

Santiago.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fdc2a0a3-2770-4661-99a6-676511210fe9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aj Navarro]

According to this:

 

Disk space utilization (df -h) example

.

As of OSSEC version 2.3 you can monitor commands directly in OSSEC following configuration (in /var/ossec/etc/ossec.conf):

<localfile>
    <log_format>command</log_format>
    <command>df -h</command>
</localfile>

This part its configured in OSSEC right now!!! but, when i execute the command, i cannot see the output in the wui.

Yes, I can see alerts since the wui

 

[Santiago Bassett]

Ok, try using the logall option. You should be able to see the output in archives.log file. 

To convert that output into an alert you will need to create the rule. I think there are rules to trigger an alert in certain cases, for example when the output of 'df -h' matches 100%. 

Do you want to get an alert every time the command is executed? If so, you need to create another rule to match that output. You can also use "alias" option to add an easy to identify string to the beginning of the text. An instead of command use full_command, so all lines are aggregated as a single event. For example

<localfile>

    <log_format>full_command</log_format>

    <alias>df-check</alias>

    <command>df -h</command>

</localfile>

I hope it helps,

Santiago.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/09ebf854-6d64-4e75-bf21-172c995d4f3a%40googlegroups.com.

[Adiel Navarro]

Where this rule are configured?

 

localfile>

    <log_format>full_command</log_format>

    <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>

</localfile>

After that, I add a rule to alert when its output changes:

<rule id="140123" level="7">

    <if_sid>530</if_sid>

    <match>ossec: output: 'netstat -tan |grep LISTEN</match>

    <check_diff />

    <description>Listened ports have changed.</description>

</rule>