Hi everyone.
I need monitoring a port in state "listen" locally.
I can't to use net_connect because isn't permit make query to the network for security reason of customer. So my estrategy focus in to use logmon probe.
This is my configuration:
1) I am capturing the state the port with a profile in the command mode. (netstat -n -a | grep tcp | grep "LISTEN" | grep -v "grep" > /opt/nimsoft/probes/system/logmon/netstat.log). The output of the profile is ---->
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48007 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48008 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48010 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
2) I am reading the log (/opt/nimsoft/probes/system/logmon/netstat.log), for example with this regex: /127.0.0.1:25\s+0.0.0.0:\W\s+LISTEN/
This is regex working god, and generate an alarm ---->