Hi all,
I recently came across an instance where several alerts that should have generated emails occurred in a small time period and so were concatenated into a single email message. However comparison of the email to alerts.log showed that this concatenation had resulted in one of the alerts being dropped from the email. Alerts both chronologically before and after the 'lost' alert were included in the email so it cannot be that the alert was simply in a different email that went astray. I had recently upgraded to version 0.9-2. Has anyone else seen this behaviour in the latest (or any other) version of ossec? I have included extracts from my alerts.log and the body of the email in question below, the alert that was lost was fired by Rule 11. Some additional background is as follows: Multi CPU 64-bit AMD machine running Linux 2.6 (SuSE 9.3). At the time I was adding a large number of new users to the system, and the system was also under excessively high load from user-run jobs --- the load was so high that some of my automated scripts which called "useradd" and then "passwd" in short succession were failing because the changes to /etc/shadow from "useradd" had not been committed before "passwd" was called. Needless to say this was generating a lot of log traffic. Unfortunately this is a production machine, so I'm not really able to try and recreate the scenario and see if it occurs again (nor do I want to encourage my users to run lots of un-niced jobs again *sighs*), but if anyone has ideas as to what might have caused this loss of email alerts and wants more details of the event in question I'm happy to supply it. Thanks Jess Messages in alerts.log: ----------------------- ... ** Alert 1160405570.17319: mail 2006 Oct 09 15:52:50 xxxxxxxxxxxx->/var/log/messages Rule: 5902 (level 8) -> 'New user added to the system' Src IP: (none) User: (none) useradd[25250]: new account added - account=aaaaaaa, uid=1025, gid=100, home=/home/aaaaaaa, shell=/bin/bash, by=0 ** Alert 1160405666.17607: mail 2006 Oct 09 15:54:26 xxxxxxxxxxxx->/var/log/messages Rule: 5902 (level 8) -> 'New user added to the system' Src IP: (none) User: (none) useradd[25314]: new account added - account=bbbbbbb, uid=1026, gid=100, home=/home/bbbbbbb, shell=/bin/bash, by=0 ** Alert 1160405712.17891: mail 2006 Oct 09 15:55:12 xxxxxxxxxxxx->/var/log/messages Rule: 11 (level 8) -> 'Excessive number of connections during this hour. The average number of logs between 15:00 and 16:00 is 41. We reached 102.' Src IP: (none) User: (none) No Log Available (HOURLY_STATS) ** Alert 1160405712.18189: 2006 Oct 09 15:55:12 xxxxxxxxxxxx->/var/log/messages Rule: 13105 (level 3) -> 'Samba network problems (unable to connect).' Src IP: (none) User: (none) smbd[23639]: Unable to connect to CUPS server localhost - Connection refused ** Alert 1160405734.18450: mail 2006 Oct 09 15:55:34 xxxxxxxxxxxx->/var/log/messages Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) passwd[25347]: User root: Authentication token manipulation error ** Alert 1160405734.18700: mail 2006 Oct 09 15:55:34 xxxxxxxxxxxx->/var/log/messages Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) passwd[25347]: password change failed, pam error 20 - user=bbbbbbb, uid=1026, by=0 ** Alert 1160405768.18966: mail 2006 Oct 09 15:56:08 xxxxxxxxxxxx->/var/log/messages Rule: 5902 (level 8) -> 'New user added to the system' Src IP: (none) User: (none) useradd[25366]: new account added - account=ccccccc, uid=1027, gid=100, home=/home/ccccccc, shell=/bin/bash, by=0 ... Email digest: ------------- OSSEC HIDS Notification. 2006 Oct 09 15:52:50 Received From: xxxxxxxxxxxx->/var/log/messages Rule: 5902 fired (level 8) -> "New user added to the system" Portion of the log(s): useradd[25250]: new account added - account=aaaaaaa, uid=1025, gid=100, home=/home/aaaaaaa, shell=/bin/bash, by=0 --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Oct 09 15:54:26 Received From: xxxxxxxxxxxx->/var/log/messages Rule: 5902 fired (level 8) -> "New user added to the system" Portion of the log(s): useradd[25314]: new account added - account=bbbbbbb, uid=1026, gid=100, home=/home/bbbbbbb, shell=/bin/bash, by=0 --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Oct 09 15:55:34 Received From: xxxxxxxxxxxx->/var/log/messages Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): passwd[25347]: User root: Authentication token manipulation error --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Oct 09 15:55:34 Received From: xxxxxxxxxxxx->/var/log/messages Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): passwd[25347]: password change failed, pam error 20 - user=bbbbbbb, uid=1026, by=0 --END OF NOTIFICATION OSSEC HIDS Notification. 2006 Oct 09 15:56:08 Received From: xxxxxxxxxxxx->/var/log/messages Rule: 5902 fired (level 8) -> "New user added to the system" Portion of the log(s): useradd[25366]: new account added - account=ccccccc, uid=1027, gid=100, home=/home/ccccccc, shell=/bin/bash, by=0 --END OF NOTIFICATION
