Ok, I got past the rules. I installed a default local_rules.xml file and
now I see some information into
"category", "server" and "location". However, "agents", "alerts", and
"data" are not receiving anything.
New debug logs:
2008/01/18 15:57:48 ossec-dbd(5203): Error executing query 'INSERT INTO
data(id, server_id, "user",full_log) VALUES ('1', '1', '(none)', 'ossec:
Ossec started.') '. Error: 'You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '"user",full_log) VALUES ('1', '1', '(none)', 'ossec:
Ossec started.')' at line 1'.
And also:
2008/01/18 15:57:48 ossec-dbd(5202): Error connecting to database
'x.x.x.x'(ossec): Can't connect to local MySQL server through socket
'/var/run/mysqld/mysqld.sock' (2).
This looks to be repeated 10 times, as is listed in internal_options.conf.
Still troubleshooting.
-Reggie
Reggie Griffin wrote:
> Hello,
>
> I just compiled in support for mysql with OSSEC. For some reason, just
> after loading all the .xml rules files, OSSEC
> stops talking to mysql.
>
> 2008/01/18 13:30:07 ossec-dbd: Connected to database 'ossec' at 'x.x.x.x'.
>
> OSSEC connects just fine.
>
> Here is some debug output:
>
> 2008/01/18 13:21:52 ossec-dbd: DEBUG: read xml for rule
> '/rules/local_rules.xml'.
> 2008/01/18 13:21:52 ossec-dbd: DEBUG: XML Variables applied.
> 2008/01/18 13:21:52 ossec-dbd: DEBUG: entering _Rules_ReadInsertDB()
> <--- Above line repeated about 50 times -->
>
> The local_rules.xml file is the last file loaded into the database, and
> after that nothing else gets added and ossec-dbd dies.
>
> Here is some mysql debug, if it's helpful.
>
> 080118 13:36:47 32 Connect [EMAIL PROTECTED] on
> 32 Query SELECT VERSION()
> 32 Query SET NAMES utf8
> 32 Query SET collation_connection =
> 'utf8_unicode_ci'
> 32 Query SET NAMES utf8
> 32 Query SET collation_connection =
> 'utf8_unicode_ci'
> 32 Query SHOW SESSION VARIABLES LIKE
> 'collation_connection'
> 32 Query SHOW SESSION VARIABLES LIKE
> 'character_set_connection'
> 32 Query SHOW CHARACTER SET
> 32 Query SHOW COLLATION
> 32 Init DB ossec
> 32 Query SHOW TABLES LIKE
> 'signature_category_mapping'
> 32 Init DB ossec
> 32 Query SHOW TABLE STATUS LIKE
> 'signature_category_mapping'
> 32 Query SHOW INDEX FROM
> `signature_category_mapping`
> 32 Query SHOW FULL FIELDS FROM
> `signature_category_mapping`
> 32 Query SHOW CREATE TABLE
> `ossec`.`signature_category_mapping`
> 32 Query SHOW FULL COLUMNS
> FROM `ossec`.`signature_category_mapping`
> 32 Quit
> 080118 13:49:50 9 Quit
>
> Nothing jumps out at me, but maybe someone on the list might have an
> idea. I have around 20 hosts logging to OSSEC, a few which are fairly
> busy due to ftp and http servers.
>
> -Reggie
>
>
>
>
--
Reggie Griffin
Deputy Information Technology Security Officer
Contractor, STG Inc
NOAA's National Climatic Data Center
Veach-Baley Federal Building
151 Patton Avenue
Asheville, NC 28801-5001
Tel: (828) 271-4286
Fax: (828) 271-4246
[EMAIL PROTECTED]
