[ossec-list] Re: ip being reported as 0.0.0.0 & timestamp misbehaving

[Vitor Correia]

and the beat goes on... some report correctly, others don't; i'm closer, but still not there: this error occurred @ 'machinename'; on one hand it says its 10.0.3.210, but when reporting src ip it fails.... getting closer... i am.... hope this saga is helping someone, feedback is welcome :) ./vcorreia ** Alert 1157998045.26066: mail 2006 Sep 11 19:07:25 (machinename) 10.0.3.210 -> /var/log/messages Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.' Src IP: (0.0.0.0) User: (none) ntop[3838]: **ERROR** EPIPE during sending of page to web client Vitor Correia wrote: from the same agent: some alerts are properly reported (ie, shows the ip) and others don't. for instance: ** Alert 1157992054.10299: mail 2006 Sep 11 17:27:34 (client1) 10.0.3.150 -> syscheck Rule: 13 (level 8) -> 'Integrity checksum of file '/etc/syslog.conf' has changed.' Src IP: (0.0.0.0) User: (none) New sha1sum is : '9e5218689284ff0e118e394623130b9ac708df72' -notice the src ip another (now working) example: ** Alert 1157990885.9290: nomail 2006 Sep 11 17:08:05 webappserver -> /var/log/secure Rule: 5715 (level 3) -> 'SSHD authentication success.' Src IP: (10.0.3.150) User: root sshd[27483]: Accepted password for root from ::ffff:10.0.3.150 port 36848 ssh2 i'm noticing something: the alerts which say 'nomail' tend to report the ip correctly, while the ones that say mail don't. i had email notification enabled for debugging purposes, as well as receiving ossec2base reports, but i disabled it just to see if anything changes. ./vcorreia Dennis Borkhus-Veto wrote: Mine was in /etc/syslog ng Here is a source I am using to get mine working the way I want.   http://www.campin.net/syslog-ng/faq.html   They have a couple of different examples. Dennis From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Vitor Correia Sent: Monday, September 11, 2006 10:15 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: ip being reported as 0.0.0.0 & timestamp misbehaving   will do that. i'm using centos 4.4 32bit. where did u get the default syslog settings from? is it something that i can change? gonna test a client/agent and report back. ./vcorreia Dennis Borkhus-Veto wrote: I think the problem may be in your syslog? Try having one of your clients use the agent to send to the server. I think the default syslog has a setting like source local { unix-stream("/dev/log"); internal(); udp(); tcp(ip(0.0.0.0) port(5140) max-connections(300)); That may be where your ip 0.0.0.0 Dennis From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Vitor Correia Sent: Monday, September 11, 2006 8:38 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Re: ip being reported as 0.0.0.0 & timestamp misbehaving hello Dennis, i'm sending to the syslog. any info/logs/whatnot just ask. thanks, ./vcorreia Dennis Borkhus-Veto wrote: A question are you using the agents to send the alerts to the server or are you sending to the syslog? Dennis -----Original Message----- From: ossec-list@googlegroups.com <ossec-list@googlegroups.com> To: ossec-list@googlegroups.com <ossec-list@googlegroups.com> Sent: Mon Sep 11 05:28:40 2006 Subject: [ossec-list] Re: ip being reported as 0.0.0.0 & timestamp misbehaving I understand that ossec2base has been renamed to ossec2mysql; in what ways dos this affect th einstallation procedure? Are the *.pl files still inside ossec-ui-****** @ http://www.riunx.com/public or are they inside ossec-hids**** @ ossec.net? i'm still getting the wrong timestamp and ip, it's driving me nuts :) do you think the architecture i've implemented (see below) is ok or prone to "errors"? ./vcorreia Meir Michanie wrote:   I posted a fix, inside ossec2mysql (ex ossec2base) the month should say Sep and not Set   On 9/8/06, Vitor Correia < <mailto:[EMAIL PROTECTED]>  [EMAIL PROTECTED]> wrote:   hello Meir and everyone, as promised i've setup a new testbed where i have a central logging server via syslogd (-r) and a bunch of other workstations reporting their syslogs to that server. all is well and i've even managed to start writing down installation instructions :) now, there are two things that don't work properly: timestamp is reported as " 0000-00-00 00:00:00 " and ossec2base can't parse the correct "agent" ip when reporting from /var/log/* e.g. :   ** Alert 1157715877.7436:      nomail 2006 Sep 08 12:44:37 testbed2 -> /var/log/secure Rule: 5716 (level 5) -> 'SSHD authentication failed.' Src IP: ( <http://10.0.3.1>   10.0.3.1) User: root sshd[15796]: Failed password for root from ::ffff:10.0.3.1 port 57468 ssh2     ** Alert   1157715877.7133:        mail   2006 Sep 08 12:44:37 testbed2 -> /var/log/messages Rule: 2502 (level 10) -> 'User missed the password more than one time' Src IP: ( <http://0.0.0.0>   0.0.0.0) User: (none) sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= <http://10.0.3.1>   10.0.3.1  user=root        im running the latest ossec-hids version (server installation) with email notification (so that i can compare results), along with ossec-ui latest version dating 08-Sep-2006 01:10. syslog: syslogd -m 0 -r realtime feed: /usr/bin/perl -w /usr/local/bin/ossec2based.pl --conf /etc/ossec2base.conf -d --sensor ossecbase i don't think i'm missing any important info. what do you think might be the problem? ./vcorreia Vitor Correia Systems Administrator        Vitor Correia Systems Administrator --   Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 -  2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax:  + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O       Vitor Correia Systems Administrator --   Mobbit Systems   [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025   Avenida do Forte, 8 - 1º Andar - Frente 01 -  2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax:  + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net   ,-O O(_)) for a better world `-O Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O

begin:vcard
fn:Vitor Correia
n:Correia;Vitor
org:Mobbit Systems
adr;quoted-printable:;;Av. do Forte, N=C2=BA 8 - Andar O1;;Linda-a-Velha;2795-503;Portugal
email;internet:[EMAIL PROTECTED]
title:Sysadmin
tel;work:+351 21 418 01 40
tel;fax:+351 21 418 01 41
tel;cell:+351 91 644 80 25
x-mozilla-html:TRUE
url:http://www.mobbit.net
version:2.1
end:vcard