[ossec-list] Re: OSSEC2MYSQL - Agents being reported as 127.0.0.1

[Vitor Correia]

here you go, hope it helps. if you need anything else just ask. ./vcorreia Meir Michanie wrote: send as attachment a new alert log so I can parse it and see what's wrong. On 9/1/06, Vitor Correia <[EMAIL PROTECTED] > wrote: did what you asked but to no avail :( Dennis Borkhus-Veto wrote: Could you change dbhost=localhost To the actual IP address to atleast see if that is where its coming from. Dennis -----Original Message----- From: ossec-list@googlegroups.com <ossec-list@googlegroups.com> To: ossec-list@googlegroups.com <ossec-list@googlegroups.com> Sent: Fri Sep 01 04:23:25 2006 Subject: [ossec-list] OSSEC2MYSQL - Agents being reported as 127.0.0.1 Hello Meir & everyone, In the past few days i managed to get a working installation of ossec2mysql in a server-client environment and i'm very happy with the outcome of all the testing and debugging done with the precious help of Meir. Still, one questions remains: my agents all show up in the alerts as 127.0.0.1. For debugging purposes i have the email notification on and all shows up well, i.e. the ips are being resolved or correctly sent. Meir, i've installed the lastest version of ossec-ui dating from 1-Sep-2006 01h10. I don't know if this helps, but here it goes: cat /etc/ossec2base.conf # PARAMS USED BY OSSEC2BASED dbhost=localhost database=ossecbase debug=5 dbport=3306 dbpasswd=<pwd> dbuser=<user> fieldseparator=; daemonize=0 sensor=ossec interface=daemon resolve=1 cat /etc/ossec-init.conf DIRECTORY="/var/ossec" VERSION="v0.9-1" DATE="Wed Aug 30 15:16:17 WEST 2006" TYPE="server" Thanks, ./vcorreia Vitor Correia Systems Administrator Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O

Generated by BASE v1.2.6 (christine) on Fri,  1 Sep 2006 16:09:42 +0100

------------------------------------------------------------------------------
#(8 - 1) [0000-00-00 00:00:00] [local/2501] [snort/:2501]  'User authentication 
failure.'
Payload: ** Alert 1157123080.1737037:   nomail
2006 Sep 01 16:04:40 localhost -> (jeremias)
10.0.3.210->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.0.2.201  user=root
------------------------------------------------------------------------------
#(8 - 2) [0000-00-00 00:00:00] [local/5716] [snort/:5716]  'SSHD authentication 
failed.'
Payload: ** Alert 1157123082.1737324:   nomail
2006 Sep 01 16:04:42 localhost -> (jeremias)
10.0.3.210->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff:10.0.2.201 port
32924 ssh2
------------------------------------------------------------------------------
#(8 - 3) [0000-00-00 00:00:00] [local/2501] [snort/:2501]  'User authentication 
failure.'
Payload: ** Alert 1157123146.1737582:   nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.0.2.201  user=root 
------------------------------------------------------------------------------
#(8 - 4) [0000-00-00 00:00:00] [local/5716] [snort/:5716]  'SSHD authentication 
failed.'
Payload: ** Alert 1157123146.1737874:   nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff:10.0.2.201 port
32924 ssh2 
------------------------------------------------------------------------------
#(8 - 5) [0000-00-00 00:00:00] [local/5715] [snort/:5715]  'SSHD authentication 
success.'
Payload: ** Alert 1157123314.1738137:   nomail
2006 Sep 01 16:08:34 localhost -> (vitorcorreia)
10.0.3.43->/var/log/auth.log
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: (10.0.3.210)
User: root
sshd[20938]: Accepted password for root from 10.0.3.210 port 33214
ssh2


-----------------------------

this has croped up alot in /var/log/ossec2based.err

sh: -c: line 0: syntax error near unexpected token `agent1'
sh: -c: line 0: `host (agent1) 10.0.3.152 2>/dev/null | grep 'has address' '
sh: -c: line 0: syntax error near unexpected token `agent2'
sh: -c: line 0: `host (agent2) 10.0.3.46 2>/dev/null | grep 'has address' '

begin:vcard
fn:Vitor Correia
n:Correia;Vitor
org:Mobbit Systems
adr;quoted-printable:;;Av. do Forte, N=C2=BA 8 - Andar O1;;Linda-a-Velha;2795-503;Portugal
email;internet:[EMAIL PROTECTED]
title:Sysadmin
tel;work:+351 21 418 01 40
tel;fax:+351 21 418 01 41
tel;cell:+351 91 644 80 25
x-mozilla-html:TRUE
url:http://www.mobbit.net
version:2.1
end:vcard