Hello,
I am using the stable version (0.9.1), but it's not a plain vanilla
installation; i upgraded my old 0.9 installation to the latest version.
I reckon that with all the upgrading, testing and whatnot that we went
through something got really messed up.
So my plans are as follows: in a day or two i'll have enough time for a
new testbed using the lastest versions available. Then i'll report back
sharing my experiences which will hopefully be of good use.
It would be awesome if the installation procedure for ossec2mysql could
be updated (maybe including known caveats). For instance, i had to
download snort, extract the proper .sql file and import it to my
database. Sure it worked okay(ish), but it would be nice to know how
it's done from who really knows what they're doing (",)
Take care and thanks again.
./vcorreia out...
Meir Michanie wrote:
your logs are different from mines:
** Alert 1157127980.998365:
2006 Sep 01 19:26:20 topgun->/var/log/auth.log
Rule: 5704 (level 4) -> 'Timeout while logging in (sshd).'
Src IP: (none)
User: (none)
sshd[18431]: fatal: Timeout before authentication for 61.142.66.58
** Alert 1157128230.998595:
2006 Sep 01 19:30:30 topgun->/var/log/auth.log
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
sudo: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=pts/4 ruser= rhost= user=meirm
** Alert 1157128236.998853:
2006 Sep 01 19:30:36 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19033]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128238.999082:
2006 Sep 01 19:30:38 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19058]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128238.999311:
2006 Sep 01 19:30:38 topgun->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19058]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128268.999538:
2006 Sep 01 19:31:08 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19145]: (pam_unix) session opened for user root by (uid=0)
I am using the server without agents and other servers sending their
logs through syslog to the central syslog where ossec is running.
I have similar logs from other two servers in remote locations.
I am using regex to extract the alert host by parsing the line that
starts with the date. In your sample they all seems to proceed from
localhost
2006 Sep 01 16:05:46 localhost -> (webappserver)
2006 Sep 01 16:08:34 localhost -> (vitorcorreia)
In my case after the arrow I have the logfile where the event was
learned from. In your case is ??? . I guess that the equivalent to mine
is the line that you have starting with ip pointing to the logfile.
for what I see you are running a cvs version of ossec that is not
stable yet.
you shouyld be using instead ossec latest snapshot from www.ossec.net
I think it is 20060820
or 9.1
You still should use my latest cvs snapshot for the ui.
There are a lot of changes since the last release and stable snapshot.
As we work in different parts of the project, The latest cvs status may
be broken like this case between ossec-hids and ossec-ui. Daniel Cid is
doing the major changes in ossec-hids. We discussed them and we are
suppose to merge and fix our interfaces.
I will try to schedule with Daniel to work on the integration of our
latest changes during the following week. If you are interested in
development of ossec continue from where you are and help us coding. If
you meant to use ossec at a production server you should stick to the
stables versions of ossec-hids and ossec-ui.
On 9/1/06, Vitor
Correia <[EMAIL PROTECTED]>
wrote:
here you go, hope it helps.
if you need anything else just ask.
./vcorreia
Meir Michanie wrote:
send as attachment a new alert log so I can parse it and
see what's wrong.
On 9/1/06, Vitor
Correia <[EMAIL PROTECTED]
> wrote:
did what you asked but to no
avail :(
Dennis Borkhus-Veto wrote:
Could you change
dbhost=localhost
To the actual IP address to atleast see if that is where its coming from.
Dennis
-----Original Message-----
From:
[email protected] <[email protected]>
To: [email protected]
<[email protected]>
Sent: Fri Sep 01 04:23:25 2006
Subject: [ossec-list] OSSEC2MYSQL - Agents being reported as 127.0.0.1
Hello Meir & everyone,
In the past few days i managed to get a working installation of ossec2mysql in a server-client environment and i'm very happy with the outcome of all the testing and debugging done with the precious help of Meir.
Still, one questions remains: my agents all show up in the alerts as 127.0.0.1. For debugging purposes i have the email notification on and all shows up well,
i.e. the ips are being resolved or correctly sent. Meir, i've installed the lastest version of ossec-ui dating from 1-Sep-2006 01h10.
I don't know if this helps, but here it goes:
cat /etc/ossec2base.conf
# PARAMS USED BY OSSEC2BASED
dbhost=localhost
database=ossecbase
debug=5
dbport=3306
dbpasswd=<pwd>
dbuser=<user>
fieldseparator=;
daemonize=0
sensor=ossec
interface=daemon
resolve=1
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v0.9-1"
DATE="Wed Aug 30 15:16:17 WEST 2006"
TYPE="server"
Thanks,
./vcorreia
Vitor Correia
Systems Administrator
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
| Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
| Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
Generated by BASE v1.2.6 (christine) on Fri, 1 Sep 2006 16:09:42 +0100
------------------------------------------------------------------------------
#(8 - 1) [0000-00-00 00:00:00] [local/2501] [snort/:2501] 'User
authentication failure.'
Payload: ** Alert 1157123080.1737037: nomail
2006 Sep 01 16:04:40 localhost -> (jeremias)
10.0.3.210->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (
0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=
10.0.2.201 user=root
------------------------------------------------------------------------------
#(8 - 2) [0000-00-00 00:00:00] [local/5716] [snort/:5716] 'SSHD
authentication failed.'
Payload: ** Alert 1157123082.1737324: nomail
2006 Sep 01 16:04:42 localhost -> (jeremias)
10.0.3.210->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (
10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff:10.0.2.201 port
32924 ssh2
------------------------------------------------------------------------------
#(8 - 3) [0000-00-00 00:00:00] [local/2501] [snort/:2501] 'User
authentication failure.'
Payload: ** Alert 1157123146.1737582: nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.0.2.201 user=root
------------------------------------------------------------------------------
#(8 - 4) [0000-00-00 00:00:00] [local/5716] [snort/:5716] 'SSHD
authentication failed.'
Payload: ** Alert 1157123146.1737874: nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff:
10.0.2.201 port
32924 ssh2
------------------------------------------------------------------------------
#(8 - 5) [0000-00-00 00:00:00] [local/5715] [snort/:5715] 'SSHD
authentication success.'
Payload: ** Alert 1157123314.1738137: nomail
2006 Sep 01 16:08:34 localhost -> (vitorcorreia)
10.0.3.43->/var/log/auth.log
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: (
10.0.3.210)
User: root
sshd[20938]: Accepted password for root from 10.0.3.210 port 33214
ssh2
-----------------------------
this has croped up alot in /var/log/ossec2based.err
sh: -c: line 0: syntax error near unexpected token `agent1'
sh: -c: line 0: `host (agent1)
10.0.3.152 2>/dev/null | grep 'has address' '
sh: -c: line 0: syntax error near unexpected token `agent2'
sh: -c: line 0: `host (agent2)
10.0.3.46 2>/dev/null | grep 'has address' '
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED] | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
|
begin:vcard
fn:Vitor Correia
n:Correia;Vitor
org:Mobbit Systems
adr;quoted-printable:;;Av. do Forte, N=C2=BA 8 - Andar O1;;Linda-a-Velha;2795-503;Portugal
email;internet:[EMAIL PROTECTED]
title:Sysadmin
tel;work:+351 21 418 01 40
tel;fax:+351 21 418 01 41
tel;cell:+351 91 644 80 25
x-mozilla-html:TRUE
url:http://www.mobbit.net
version:2.1
end:vcard
