Hi Reggie, Try updating your OSSEC server to the following version:
http://www.ossec.net/dcid/?p=118 It should fix your problem. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Jan 18, 2008 5:14 PM, Reggie Griffin <[EMAIL PROTECTED]> wrote: > > Ok, I got past the rules. I installed a default local_rules.xml file and > now I see some information into > "category", "server" and "location". However, "agents", "alerts", and > "data" are not receiving anything. > > New debug logs: > > 2008/01/18 15:57:48 ossec-dbd(5203): Error executing query 'INSERT INTO > data(id, server_id, "user",full_log) VALUES ('1', '1', '(none)', 'ossec: > Ossec started.') '. Error: 'You have an error in your SQL syntax; check > the manual that corresponds to your MySQL server version for the right > syntax to use near '"user",full_log) VALUES ('1', '1', '(none)', 'ossec: > Ossec started.')' at line 1'. > > And also: > > 2008/01/18 15:57:48 ossec-dbd(5202): Error connecting to database > 'x.x.x.x'(ossec): Can't connect to local MySQL server through socket > '/var/run/mysqld/mysqld.sock' (2). > > This looks to be repeated 10 times, as is listed in internal_options.conf. > > Still troubleshooting. > > -Reggie > > > > Reggie Griffin wrote: > > Hello, > > > > I just compiled in support for mysql with OSSEC. For some reason, just > > after loading all the .xml rules files, OSSEC > > stops talking to mysql. > > > > 2008/01/18 13:30:07 ossec-dbd: Connected to database 'ossec' at 'x.x.x.x'. > > > > OSSEC connects just fine. > > > > Here is some debug output: > > > > 2008/01/18 13:21:52 ossec-dbd: DEBUG: read xml for rule > > '/rules/local_rules.xml'. > > 2008/01/18 13:21:52 ossec-dbd: DEBUG: XML Variables applied. > > 2008/01/18 13:21:52 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB() > > <--- Above line repeated about 50 times --> > > > > The local_rules.xml file is the last file loaded into the database, and > > after that nothing else gets added and ossec-dbd dies. > > > > Here is some mysql debug, if it's helpful. > > > > 080118 13:36:47 32 Connect [EMAIL PROTECTED] on > > 32 Query SELECT VERSION() > > 32 Query SET NAMES utf8 > > 32 Query SET collation_connection = > > 'utf8_unicode_ci' > > 32 Query SET NAMES utf8 > > 32 Query SET collation_connection = > > 'utf8_unicode_ci' > > 32 Query SHOW SESSION VARIABLES LIKE > > 'collation_connection' > > 32 Query SHOW SESSION VARIABLES LIKE > > 'character_set_connection' > > 32 Query SHOW CHARACTER SET > > 32 Query SHOW COLLATION > > 32 Init DB ossec > > 32 Query SHOW TABLES LIKE > > 'signature_category_mapping' > > 32 Init DB ossec > > 32 Query SHOW TABLE STATUS LIKE > > 'signature_category_mapping' > > 32 Query SHOW INDEX FROM > > `signature_category_mapping` > > 32 Query SHOW FULL FIELDS FROM > > `signature_category_mapping` > > 32 Query SHOW CREATE TABLE > > `ossec`.`signature_category_mapping` > > 32 Query SHOW FULL COLUMNS > > FROM `ossec`.`signature_category_mapping` > > 32 Quit > > 080118 13:49:50 9 Quit > > > > Nothing jumps out at me, but maybe someone on the list might have an > > idea. I have around 20 hosts logging to OSSEC, a few which are fairly > > busy due to ftp and http servers. > > > > -Reggie > > > > > > > > > > -- > Reggie Griffin > Deputy Information Technology Security Officer > Contractor, STG Inc > NOAA's National Climatic Data Center > Veach-Baley Federal Building > 151 Patton Avenue > Asheville, NC 28801-5001 > Tel: (828) 271-4286 > Fax: (828) 271-4246 > [EMAIL PROTECTED] > >