[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

[Leonardo Goldim]

   hey meir
   could you send me the result of this query (SELECT * from acid_event 
limit 10;) in your db for i compare with my db ?

   i think the problem is in this table, the base get the fields sid 
and cid, but my db is like this:

mysql> SELECT * from acid_event limit 10;
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+
| sid | cid | signature | sig_name                                   | 
sig_class_id | sig_priority | timestamp           | ip_src    | 
ip_dst    | ip_proto | layer4_sport | layer4_dport |
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+
|   1 |   1 | 1         | 'Unknown problem somewhere in the system.' 
|            1 |            7 | 2006-07-31 10:41:33 |         0 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   2 | 2         | 'SSHD authentication failed.'              
|            1 |            5 | 2006-07-31 10:41:55 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   3 | 2         | 'SSHD authentication failed.'              
|            1 |            5 | 2006-07-31 10:41:59 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   4 | 3         | 'Attempt to access an non-existent file.'  
|            1 |            5 | 2006-07-31 10:59:08 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   5 | 4         | 'Web server 400 error code.'               
|            1 |            5 | 2006-07-31 10:59:08 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   6 | 4         | 'Web server 400 error code.'               
|            1 |            5 | 2006-07-31 10:59:08 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   7 | 3         | 'Attempt to access an non-existent file.'  
|            1 |            5 | 2006-07-31 10:59:08 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   8 | 3         | 'Attempt to access an non-existent file.'  
|            1 |            5 | 2006-07-31 11:02:14 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |   9 | 3         | 'Attempt to access an non-existent file.'  
|            1 |            5 | 2006-07-31 11:02:14 | 167772168 | 
167772169 |     NULL |         NULL |         NULL |
|   1 |  10 | 3         | 'Attempt to access an non-existent file.'  
|            1 |            5 | 2006-07-31 11:03:03 | 167772169 | 
167772169 |     NULL |         NULL |         NULL |
+-----+-----+-----------+--------------------------------------------+--------------+--------------+---------------------+-----------+-----------+----------+--------------+--------------+

   how are you table ?

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Meir Michanie wrote:
the only thing I can sugest is that you look at the alerts log in the 
wiki. if your alert log format is not there append it and I can check more