[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Ossec WebUI - 'Latest modified files (for all agents)' stopped updating
From: Christina Wyndham <cwynd () benclarke ! ca>
Date: 2019-05-31 22:19:36
Message-ID: 43d18657-889f-4cec-bbc2-345b519222d5 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We have been using ossec 2.8.2 for about 5 years now to monitor an array of
25 servers in various locations without problems, until... May 19, around 2
weeks ago.
Since then, per the subject line, we have seen no updates at all in the
'Latest modified files (for all agents)'. The last entries there are for
May 19, then nothing after that. Normally there is a list of file changes
most days as you might expect.
However:
- All of the agents continue to report in (the 'Main' tab shows a last
keep alive in the last few minutes for all agents)
- Latest events shows a steady stream of current entries, so we're
confident that the agents are talking to the manager
- Analogi shows a graphical analysis of recent events - but excluding
any file checksum change events
All systems (except for a couple of windows machines) are running Ubuntu or
Debian.
We have tried restarting the Manager processes (many times), and also one
local agent that we can easily monitor closely. We tried this process
<https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates> \
to empty and recreate the syscheck file for that one agent, and it
successfully recreates the syscheck file for that agent but with only 2
entries, but still I do not see anything in the 'Latest modified files (for
all agents)'.
That two-entry result sounds like this issue
<https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#syscheck-not-sending-any-file-data-to-the-server>, \
except the OS and version are different there.
To answer the obvious question, we cannot find anything relevant that
changed around that May 19 time, and for example I have done a find for
ossec manager config files modified at that time or after - there are none
(we do occasionally make edits to the configuration obviously).
To my eyes the manager logs do not show any messages related to our problem.
I am at a loss to know where to suggest we turn next in terms of debugging,
and I would hugely appreciate any advice on where to look next for hints as
to what our problem might be.
Thank you so much in advance!
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. To view this discussion on \
the web visit https://groups.google.com/d/msgid/ossec-list/43d18657-889f-4cec-bbc2-345b519222d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">We have been using ossec 2.8.2 for about 5 years now to monitor an \
array of 25 servers in various locations without problems, until... May 19, around 2 \
weeks ago.<div><br></div><div>Since then, per the subject line, we have seen no \
updates at all in the 'Latest modified files (for all agents)'. The last \
entries there are for May 19, then nothing after that. Normally there is a list of \
file changes most days as you might \
expect.</div><div><br></div><div>However:</div><div><ul><li>All of the agents \
continue to report in (the 'Main' tab shows a last keep alive in the last few \
minutes for all agents)</li><li>Latest events shows a steady stream of current \
entries, so we're confident that the agents are talking to the \
manager</li><li>Analogi shows a graphical analysis of recent events - but excluding \
any file checksum change events</li></ul><div>All systems (except for a couple of \
windows machines) are running Ubuntu or Debian.</div><div><br></div><div>We have \
tried restarting the Manager processes (many times), and also one local agent that we \
can easily monitor closely. We tried <a \
href="https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates">this \
process</a> to empty and recreate the syscheck file for that one agent, and it \
successfully recreates the syscheck file for that agent but with only 2 entries, but \
still I do not see anything in the 'Latest modified files (for all \
agents)'.</div></div><div><br></div><div>That two-entry result sounds like <a \
href="https://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html#syscheck-not-sending-any-file-data-to-the-server">this \
issue</a>, except the OS and version are different there.</div><div><br></div><div>To \
answer the obvious question, we cannot find anything relevant that changed around \
that May 19 time, and for example I have done a <font face="courier new, \
monospace">find</font> for ossec manager config files modified at that time or after \
- there are none (we do occasionally make edits to the configuration \
obviously).</div><div><br></div><div>To my eyes the manager logs do not show any \
messages related to our problem.</div><div><br></div><div>I am at a loss to know \
where to suggest we turn next in terms of debugging, and I would hugely appreciate \
any advice on where to look next for hints as to what our problem might \
be.</div><div><br></div><div>Thank you so much in advance!</div><div><br></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/43d18657-889f-4cec-bbc2-345b519222d \
5%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/ossec-list/43d18657-889f-4cec-bbc2-345b519222d5%40googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic