[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [Ossec-list] The part of ossec were aborted
From: daniel.cid () gmail ! com (Daniel Cid)
Date: 2006-05-31 19:09:19
Message-ID: b92e6f200605311209k1b589abdw8e2b6e1db588ee5d () mail ! gmail ! com
[Download RAW message or body]
Hi Oleksander,
For some reason it looks like analysisd is dying. I noticed that you
are monitoring the store.log and cache.log from squid. We don't
have any decoders/rules for them. The same applies to some of the
other log files you configured. Also, if any of these files are in binary
format it wouldn't work with ossec. Can you send me some lines (or
if possible the whole file) for the following logs:
/etc/httpd/logs/audit_log
/etc/httpd/logs/ssl_request_log
/etc/httpd/logs/suexec.log
/var/log/squid/cache.log
/var/log/squid/store.log
You can send them privately to me if you prefer. By looking at them
I will be able to see if there is something causing ossec to die and
try to add support to them...
Thanks,
--
Daniel B. Cid
dcid @ ( at ) ossec.net
On 5/31/06, Oleksander Panchuk <oleksander.panchuk at cbn-cis.org> wrote:
> Hi Daniel,
> I use 0.8 version of ossec.
> Everything were started, please, see below.
>
> 2006/05/30 09:34:05 ossec-maild: Started (pid: 2360).
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'rules_config.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'pix_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'named_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'pure-ftpd_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'web_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'apache_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'ids_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'squid_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'firewall_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file:
> 'sendmail_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Reading rules file: 'attack_rules.xml'
> 2006/05/30 09:34:05 ossec-analysisd: Total rules enabled: '246'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mtab'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/random-seed'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/adjtime'
> 2006/05/30 09:34:05 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
> 2006/05/30 09:34:05 ossec-execd: Started (pid: 2364).
> 2006/05/30 09:34:05 ossec-analysisd: 3 IPs in the white list for active
> response.
> 2006/05/30 09:34:05 ossec-analysisd: Started (pid: 2368).
> 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2376).
> 2006/05/30 09:34:05 ossec-remoted: Started (pid: 2377).
> 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/ar'
> (active-response queue
> 2006/05/30 09:34:08 ossec-analysisd: Connected to '/queue/alerts/execq'
> (exec queue)
> 2006/05/30 09:34:08 ossec-syscheckd: Started (pid: 2381).
> 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> '/var/log/messages'.
> 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> '/var/log/secure'.
> 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> '/var/log/xferlog'.
> 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> '/var/log/maillog'.
> 2006/05/30 09:34:11 ossec-logcollector(1950): Analyzing file:
> '/var/log/snort/alert'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/var/log/httpd/error_log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/var/log/httpd/access_log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/etc/httpd/logs/audit_log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/etc/httpd/logs/ssl_request_
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/etc/httpd/logs/suexec.log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/var/log/squid/access.log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/var/log/squid/cache.log'.
> 2006/05/30 09:34:12 ossec-logcollector(1950): Analyzing file:
> '/var/log/squid/store.log'.
> 2006/05/30 09:34:12 ossec-logcollector: Started (pid: 2372).
> 2006/05/30 10:00:02 ossec-syscheckd: socketerr
> 2006/05/30 10:00:02 ossec-syscheckd(1224): Error sending message to queue.
> 2006/05/30 10:00:03 ossec-logcollector: socketerr
> 2006/05/30 10:00:03 ossec-logcollector(1224): Error sending message to
> queue.
> 2006/05/30 10:00:05 ossec-syscheckd(1210): Queue
> '/var/ossec/queue/ossec/queue' not accessible.
> 2006/05/30 10:00:05 ossec-syscheckd(1211): Unable to access queue:
> '/var/ossec/queue/ossec/queue'. Giving up..
> 2006/05/30 10:00:06 ossec-logcollector(1210): Queue
> '/var/ossec/queue/ossec/queue' not accessible.
> 2006/05/30 10:00:06 ossec-logcollector(1211): Unable to access queue:
> '/var/ossec/queue/ossec/queue/ossec/queue'. Giving up..
>
> This is last message from ossec-alerts-30.log
>
> ** Alert 1148972399.27274: mail
> 2006 May 30 09:59:59 /var/log/squid/store.log
> Rule: 102 (level 7) -> 'Unknown problem somewhere in the system.'
> Src IP: (none)
> User: (none)
> RELEASE 00 000001B6 D6C15FA04F99D2C0BFBAD4CCA27E9BEB ? ? ?
> ? ?/?
>
> Oleksander.
> > -----Original Message-----
> > From: Daniel Cid [mailto:daniel.cid at gmail.com]
> > Sent: Tuesday, May 30, 2006 5:38 PM
> > To: Oleksander Panchuk
> > Cc: ossec-list at ossec.net
> > Subject: Re: [Ossec-list] The part of ossec were aborted
> >
> > Hi Oleksander,
> >
> > Are you using version 0.8? Did you get any message about analysisd
> > starting? Basically, logcollector and syscheckd send their messages
> > to analysisd. If it is not running, you will get these errors (unable to
> > connect to socket). Can you also show us your logs from 5
> > minutes before logcollector died?
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
> >
> > On 5/30/06, Oleksander Panchuk <oleksander.panchuk at cbn-cis.org> wrote:
> > >
> > >
> > >
> > >
> > > Hello again.
> > >
> > >
> > >
> > > What was happened with ossec-logcollector and ossec-syscheckd?
> > >
> > > It is repeated in 10-15 minutes after each restart ossec.
> > >
> > >
> > >
> > > ..
> > >
> > > ossec-logcollector(1950): Analyzing file: '/var/log/squid/access.log'.
> > >
> > > ossec-logcollector(1950): Analyzing file: '/var/log/squid/cache.log'.
> > >
> > > ossec-logcollector(1950): Analyzing file: '/var/log/squid/store.log'.
> > >
> > > ossec-logcollector: Started (pid: 2372).
> > >
> > > ossec-syscheckd: socketerr
> > >
> > > ossec-syscheckd(1224): Error sending message to queue.
> > >
> > > ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not
> > accessible.
> > >
> > > ossec-syscheckd(1211): Unable to access queue:
> > > '/var/ossec/queue/ossec/queue'. Giving up..
> > >
> > > ossec-logcollector: socketerr
> > >
> > > ossec-logcollector(1224): Error sending message to queue.
> > >
> > > ossec-logcollector(1210): Queue '/var/ossec/queue/ossec/queue' not
> > > accessible.
> > >
> > > ossec-logcollector(1211): Unable to access queue:
> > > '/var/ossec/queue/ossec/queue'. Giving up
> > >
> > >
> > >
> > > I updated Linux OS
> > >
> > > libgomp.i386 4.1.1-1.fc5
> > >
> > > gcc.i386 4.1.1-1.fc5
> > >
> > > libgcj-devel.i386 4.1.1-1.fc5
> > >
> > > libstdc++-devel.i386 4.1.1-1.fc5
> > >
> > > gcc-java.i386 4.1.1-1.fc5
> > >
> > > cpp.i386 4.1.1-1.fc5
> > >
> > > libgcj.i386 4.1.1-1.fc5
> > >
> > > gcc-c++.i386 4.1.1-1.fc5
> > >
> > > libtool-ltdl.i386 1.5.22-2.3
> > >
> > > libgcc.i386 4.1.1-1.fc5
> > >
> > > libtool.i386 1.5.22-2.3
> > >
> > > apr-devel.i386 1.2.2-7.3
> > >
> > > libgnat.i386 4.1.1-1.fc5
> > >
> > > libstdc++.i386 4.1.1-1.fc5
> > >
> > > apr.i386 1.2.2-7.3
> > >
> > >
> > >
> > > Best regards,
> > >
> > > Aleksander.
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > ossec-list mailing list
> > > ossec-list at ossec.net
> > > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> > >
> > >
> > >
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic