Re: [ossec-list] Re: reportd not sending any email
Try this patch from here: https://bitbucket.org/dcid/ossec-hids/commits/eb98bdae15cec6ccf04190d0badbd3b0de6f84b7 As it may fix the problem. thanks, On Mon, Apr 18, 2016 at 7:16 PM, theresa mic-snarewrote: > will need to take a proper look at what's causing those segfaults > tomorrow... > > > Am Dienstag, 19. April 2016 00:11:45 UTC+2 schrieb theresa mic-snare: >> >> oh no!! >> OSSEC segfaulted >> >> 2016-04-19T00:01:58.311800+02: >> 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 >> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] >> >> since this was 1 Minute after midnight I suspect reportd causes this >> >> this is what the OSSEC log has to say: >> >> 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for >> 'OSSEC: Authentication Report' >> 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication >> Report' completed. Creating output... >> 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for >> 'Daily report: File changes' >> 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File >> changes' completed. Creating output... >> >> a few seconds later another segfault >> >> 2016-04-19T00:02:18.278790+02: >> 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 >> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] >> >> Hmm... :( >> >> Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd): >>> >>> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare >>> wrote: >>> > Awesome, thanks for the tip Dan! >>> > I will look for it tonight, if it actually works and does send a >>> > report, >>> > then I will send a PR with a disclaimer on the documentation page, >>> > because >>> > it isn't mentioned there yet. >>> > >>> >>> Much appreciated! >>> >>> > I have also looked at the code to see if I could find any indicator >>> > when the >>> > email would be sent...but alas, I haven't found anything there either. >>> > >>> >>> My bad memory is telling me monitord is the place to look. >>> >>> > >>> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: >>> >> >>> >> Hi all, >>> >> >>> >> I've configured reportd to send reports on syscheck and successful >>> >> authentication >>> >> >>> >> >>> >>authentication_success >>> >>OSSEC: Authentication Report >>> >>1...@456.com >>> >>yes >>> >> >>> >> >>> >> >>> >> syscheck >>> >> Daily report: File changes >>> >> 1...@456.com >>> >> >>> >> >>> >> >>> >> However, I can run those reports fine in the terminal, but it doesn't >>> >> send >>> >> any reports through email. >>> >> >>> >> Yes: I have checked that ossec-maild is running it is, I swear! >>> >> Yes: I have checked the spam/junk folder in my inbox as well I >>> >> swear! >>> >> >>> >> When I run reportd manually it displays the report just fineand >>> >> even >>> >> in the logs it says >>> >> >>> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating >>> >> output... >>> >> >>> >> I'd expect it at least to say this after I restart OSSEC as well? >>> >> >>> >> When does ossec-reportd run or does it have to be started through a >>> >> cronjob? >>> >> Does the mailing of reports work for you? >>> >> >>> >> best, >>> >> theresa >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: reportd not sending any email
will need to take a proper look at what's causing those segfaults tomorrow... Am Dienstag, 19. April 2016 00:11:45 UTC+2 schrieb theresa mic-snare: > > oh no!! > OSSEC segfaulted > > 2016-04-19T00:01:58.311800+02: > 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 > sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] > > since this was 1 Minute after midnight I suspect reportd causes this > > this is what the OSSEC log has to say: > > 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for > 'OSSEC: > Authentication Report' > 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication > Report' completed. Creating output... > 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily > report: File changes' > 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File > changes' completed. Creating output... > > a few seconds later another segfault > > 2016-04-19T00:02:18.278790+02: > 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 > sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] > > Hmm... :( > > Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd): >> >> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare >>wrote: >> > Awesome, thanks for the tip Dan! >> > I will look for it tonight, if it actually works and does send a >> report, >> > then I will send a PR with a disclaimer on the documentation page, >> because >> > it isn't mentioned there yet. >> > >> >> Much appreciated! >> >> > I have also looked at the code to see if I could find any indicator >> when the >> > email would be sent...but alas, I haven't found anything there either. >> > >> >> My bad memory is telling me monitord is the place to look. >> >> > >> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: >> >> >> >> Hi all, >> >> >> >> I've configured reportd to send reports on syscheck and successful >> >> authentication >> >> >> >> >> >>authentication_success >> >>OSSEC: Authentication Report >> >>1...@456.com >> >>yes >> >> >> >> >> >> >> >> syscheck >> >> Daily report: File changes >> >> 1...@456.com >> >> >> >> >> >> >> >> However, I can run those reports fine in the terminal, but it doesn't >> send >> >> any reports through email. >> >> >> >> Yes: I have checked that ossec-maild is running it is, I swear! >> >> Yes: I have checked the spam/junk folder in my inbox as well I >> swear! >> >> >> >> When I run reportd manually it displays the report just fineand >> even >> >> in the logs it says >> >> >> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating >> >> output... >> >> >> >> I'd expect it at least to say this after I restart OSSEC as well? >> >> >> >> When does ossec-reportd run or does it have to be started through a >> >> cronjob? >> >> Does the mailing of reports work for you? >> >> >> >> best, >> >> theresa >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: reportd not sending any email
oh no!! OSSEC segfaulted 2016-04-19T00:01:58.311800+02: 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] since this was 1 Minute after midnight I suspect reportd causes this this is what the OSSEC log has to say: 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for 'OSSEC: Authentication Report' 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication Report' completed. Creating output... 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily report: File changes' 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File changes' completed. Creating output... a few seconds later another segfault 2016-04-19T00:02:18.278790+02: 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000] Hmm... :( Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd): > > On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare >wrote: > > Awesome, thanks for the tip Dan! > > I will look for it tonight, if it actually works and does send a report, > > then I will send a PR with a disclaimer on the documentation page, > because > > it isn't mentioned there yet. > > > > Much appreciated! > > > I have also looked at the code to see if I could find any indicator when > the > > email would be sent...but alas, I haven't found anything there either. > > > > My bad memory is telling me monitord is the place to look. > > > > > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: > >> > >> Hi all, > >> > >> I've configured reportd to send reports on syscheck and successful > >> authentication > >> > >> > >>authentication_success > >>OSSEC: Authentication Report > >>1...@456.com > >>yes > >> > >> > >> > >> syscheck > >> Daily report: File changes > >> 1...@456.com > >> > >> > >> > >> However, I can run those reports fine in the terminal, but it doesn't > send > >> any reports through email. > >> > >> Yes: I have checked that ossec-maild is running it is, I swear! > >> Yes: I have checked the spam/junk folder in my inbox as well I > swear! > >> > >> When I run reportd manually it displays the report just fineand > even > >> in the logs it says > >> > >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating > >> output... > >> > >> I'd expect it at least to say this after I restart OSSEC as well? > >> > >> When does ossec-reportd run or does it have to be started through a > >> cronjob? > >> Does the mailing of reports work for you? > >> > >> best, > >> theresa > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule
This is the first rule I have attempted since inheriting the system/platform. It is worth noting however that the "no_email_alert" is > redundant in this case, because the rule level is set to zero. Yea, I was grasping at straws here. On Monday, April 18, 2016 at 12:05:54 PM UTC-4, LostInThe Tubez wrote: > > Your rule triggers for me when I test it (on v2.8.3), so the problem is > likely not with your rule. It is worth noting however that the > "no_email_alert" is redundant in this case, because the > rule level is set to zero. > > > > What is the output of ossec-logtest, using the line from your sample > alert? No errors in your ossec.log on the server? Are other rules in your > local_rules.xml working? > > > > > > *From:* ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] *On Behalf Of *James Stallings > *Sent:* Saturday, April 16, 2016 3:42 PM > *To:* ossec-list> *Subject:* [ossec-list] Rule 1002 continues to fire after creating local > overwriting rule > > > > I'm trying to ignore an NRPE ssl handhshake alert while I wait for the > responsible team to resolve it. > > > > Here is a sample alert: > > > > OSSEC HIDS Notification. > 2016 Apr 16 18:06:17 > Received From: (some_host) some_ip->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL > handshake. 5 > > > > > --END OF NOTIFICATION > > > > Here is the rule I have created in my local_rules.xml config. > > > > > > 1002 > nrpe > no_email_alert > Could not complete SSL handshake > Ignore nrpe ssl handshake errors > > > > > > This still does not seem to be working. I've tried alerting the rule by > dropping program name and options. I've restarted the OSSEC daemon on the > server after every change. > > > > Could anyone point me in the right direction? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] RootCheck disableing
Interesting... that should be the only config that you need to update in order to disable the root check. I tried it in my lab and disabled it properly as well. On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote: > > I checked again the logs - > > 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan. > 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured. > 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured. > 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan. > > The log says the check did run, > Is there another configuration file I might be missing? > > On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote: >> >> I have reproduced your configuration on my labs, rootcheck is not >> starting again. Could you re-verify that agent.conf file is right on your >> agent? >> >> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: >>> >>> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). >>> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. >>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. >>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file >>> configured. >>> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >>> The start of the scan is right after the restart of the ossed-hids >>> restart from the original post >>> >>> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: On Thu, Apr 14, 2016 at 6:27 AM, eyal gershonwrote: > Hey, > > I tried to disabled the rootcheck on one of the servers. > I have added the following line to the agent.conf file - > > > yes > > > and after I am restarting the service I get the following output - > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck > disabled. Exiting. > ossec-syscheckd: WARN: Rootcheck module disabled. > > and a few min later I see in the logs that the rootcheck is running again. > any one have an idea why did I miss? > Which log messages are you seeing specifically? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule
Your rule seems to work well. Could you paste here the output of logtest? On Monday, April 18, 2016 at 6:05:54 PM UTC+2, LostInThe Tubez wrote: > > Your rule triggers for me when I test it (on v2.8.3), so the problem is > likely not with your rule. It is worth noting however that the > "no_email_alert" is redundant in this case, because the > rule level is set to zero. > > > > What is the output of ossec-logtest, using the line from your sample > alert? No errors in your ossec.log on the server? Are other rules in your > local_rules.xml working? > > > > > > *From:* ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] *On Behalf Of *James Stallings > *Sent:* Saturday, April 16, 2016 3:42 PM > *To:* ossec-list> *Subject:* [ossec-list] Rule 1002 continues to fire after creating local > overwriting rule > > > > I'm trying to ignore an NRPE ssl handhshake alert while I wait for the > responsible team to resolve it. > > > > Here is a sample alert: > > > > OSSEC HIDS Notification. > 2016 Apr 16 18:06:17 > Received From: (some_host) some_ip->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL > handshake. 5 > > > > > --END OF NOTIFICATION > > > > Here is the rule I have created in my local_rules.xml config. > > > > > > 1002 > nrpe > no_email_alert > Could not complete SSL handshake > Ignore nrpe ssl handshake errors > > > > > > This still does not seem to be working. I've tried alerting the rule by > dropping program name and options. I've restarted the OSSEC daemon on the > server after every change. > > > > Could anyone point me in the right direction? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.