Gentlemen, I'm running in to an issue with the syscheck_control command. When I issue syscheck_control -i 001/002/003/004 etc, all of the responses list my agents as having the same IP address. I'm relatively new to this, so if there's a troubleshooting step I missed, please let me know so I can help myself better in the future.
r...@crumble-105:/var/ossec/bin# ./syscheck_control -i 001
Integrity changes for agent 'shatter_107 (001) - 172.x.x.107':
** No entries found.
r...@crumble-105:/var/ossec/bin# ./syscheck_control -i 002
Integrity changes for agent 'terror_108 (002) - 172.x.x.107':
** No entries found.
r...@crumble-105:/var/ossec/bin# ./syscheck_control -i 003
Integrity changes for agent 'chaos_111 (003) - 172.x.x.107':
** No entries found.
r...@crumble-105:/var/ossec/bin# ./syscheck_control -i 004
Integrity changes for agent 'minion_112 (004) - 172.x.x.107':
** No entries found.
If I run syscheck_control update utility, it says it updates the
database, but does not update the ip address of the ID.
Now for the information asked for on the web site:
ossec-analysisd -V:
OSSEC HIDS v2.1 - Trend Micro Inc.
ossec-init.conf:
DIRECTORY="/var/ossec"
VERSION="v2.1"
DATE="Thu Jul 30 14:24:52 EDT 2009"
TYPE="server"
ossec.conf:
r...@crumble-105:/var/ossec/etc# cat ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>www.microsolved.com</smtp_server>
<email_from>[email protected]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vsftpd.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</ossec_config>
r...@crumble-105:/var/ossec/etc#
ossec.log file attached.
Thanks a lot.
--
_______________________________________________________________________
Nathan Grandbois, CISSP [email protected]
Security Analyst (614) 351-1237 x 212
PGP Key Available by Request
MicroSolved is security expertise you can trust!
HoneyPoint Security Server
Attackers get stung, instead of you!
http://www.microsolved.com/honeypoint
2009/07/30 14:27:11 ossec-maild: INFO: Started (pid: 13803). 2009/07/30 14:27:11 ossec-execd(1350): INFO: Active response disabled. Exiting. 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading local decoder file. 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2009/07/30 14:27:11 ossec-remoted: INFO: Started (pid: 13819). 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2009/07/30 14:27:11 ossec-analysisd: INFO: Total rules enabled: '896' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2009/07/30 14:27:11 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2009/07/30 14:27:11 ossec-analysisd: INFO: Started (pid: 13811). 2009/07/30 14:27:11 ossec-remoted: INFO: Started (pid: 13820). 2009/07/30 14:27:11 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2009/07/30 14:27:11 ossec-remoted(1410): INFO: Reading authentication keys file. 2009/07/30 14:27:11 ossec-remoted(1402): ERROR: Authentication key file '/etc/client.keys' not found. 2009/07/30 14:27:11 ossec-remoted(1750): ERROR: No remote connection configured. Exiting. 2009/07/30 14:27:12 ossec-monitord: INFO: Started (pid: 13830). 2009/07/30 14:27:16 ossec-syscheckd: INFO: Started (pid: 13826). 2009/07/30 14:27:16 ossec-rootcheck: INFO: Started (pid: 13826). 2009/07/30 14:27:16 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2009/07/30 14:27:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2009/07/30 14:27:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2009/07/30 14:27:16 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2009/07/30 14:27:16 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/vsftpd.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/error.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/access.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. 2009/07/30 14:27:17 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. 2009/07/30 14:27:17 ossec-logcollector: INFO: Started (pid: 13815). 2009/07/30 14:27:44 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:27:44 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:27:48 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2009/07/30 14:30:24 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:30:24 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:31:42 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2009/07/30 14:33:42 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2009/07/30 14:35:24 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:35:24 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:40:24 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:40:24 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:43:58 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2009/07/30 14:44:18 ossec-rootcheck: INFO: Starting rootcheck scan. 2009/07/30 14:44:59 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:44:59 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:45:24 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:45:24 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:47:54 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:47:54 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:48:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:48:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:48:05 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:48:05 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:48:05 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:48:13 ossec-execd(1350): INFO: Active response disabled. Exiting. 2009/07/30 14:48:13 ossec-maild: INFO: Started (pid: 14589). 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading local decoder file. 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2009/07/30 14:48:13 ossec-analysisd: INFO: Total rules enabled: '896' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2009/07/30 14:48:13 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2009/07/30 14:48:13 ossec-analysisd: INFO: Started (pid: 14597). 2009/07/30 14:48:13 ossec-remoted: INFO: Started (pid: 14605). 2009/07/30 14:48:13 ossec-remoted: INFO: Started (pid: 14606). 2009/07/30 14:48:13 ossec-monitord: INFO: Started (pid: 14614). 2009/07/30 14:48:13 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2009/07/30 14:48:13 ossec-remoted(1410): INFO: Reading authentication keys file. 2009/07/30 14:48:17 ossec-syscheckd: INFO: Started (pid: 14610). 2009/07/30 14:48:17 ossec-rootcheck: INFO: Started (pid: 14610). 2009/07/30 14:48:17 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2009/07/30 14:48:17 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2009/07/30 14:48:17 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2009/07/30 14:48:17 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2009/07/30 14:48:17 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/vsftpd.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/error.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/access.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. 2009/07/30 14:48:19 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. 2009/07/30 14:48:19 ossec-logcollector: INFO: Started (pid: 14601). 2009/07/30 14:48:46 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:48:46 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:48:49 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2009/07/30 14:49:01 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:49:01 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:49:16 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:49:16 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:50:21 os_sendmail(1764): WARN: Mail from not accepted by server 2009/07/30 14:50:21 ossec-maild(1223): ERROR: Error Sending email to 38.112.48.18 (smtp server) 2009/07/30 14:52:45 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2009/07/30 14:53:26 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:26 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:27 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:27 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:27 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:27 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2009/07/30 14:53:27 ossec-maild: INFO: Started (pid: 14817). 2009/07/30 14:53:27 ossec-execd(1350): INFO: Active response disabled. Exiting. 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading local decoder file. 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2009/07/30 14:53:27 ossec-analysisd: INFO: Total rules enabled: '896' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool' 2009/07/30 14:53:27 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2009/07/30 14:53:27 ossec-analysisd: INFO: Started (pid: 14825). 2009/07/30 14:53:27 ossec-remoted: INFO: Started (pid: 14833). 2009/07/30 14:53:27 ossec-remoted: INFO: Started (pid: 14834). 2009/07/30 14:53:27 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'. 2009/07/30 14:53:27 ossec-remoted(1410): INFO: Reading authentication keys file. 2009/07/30 14:53:27 ossec-remoted: INFO: Assigning counter for agent shatter_107: '0:2154'. 2009/07/30 14:53:27 ossec-remoted: INFO: No previous counter available for 'terror_108'. 2009/07/30 14:53:27 ossec-remoted: INFO: Assigning counter for agent terror_108: '0:0'. 2009/07/30 14:53:27 ossec-remoted: INFO: Assigning counter for agent chaos_111: '0:2376'. 2009/07/30 14:53:27 ossec-remoted: INFO: Assigning counter for agent minion_112: '0:2314'. 2009/07/30 14:53:27 ossec-remoted: INFO: Assigning sender counter: 0:349 2009/07/30 14:53:27 ossec-monitord: INFO: Started (pid: 14844). 2009/07/30 14:53:31 ossec-syscheckd: INFO: Started (pid: 14838). 2009/07/30 14:53:31 ossec-rootcheck: INFO: Started (pid: 14838). 2009/07/30 14:53:31 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2009/07/30 14:53:31 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2009/07/30 14:53:31 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2009/07/30 14:53:31 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2009/07/30 14:53:31 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/vsftpd.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mail.info'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/dpkg.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/error.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache/access.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/error.log'. 2009/07/30 14:53:33 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/apache2/access.log'. 2009/07/30 14:53:33 ossec-logcollector: INFO: Started (pid: 14829). 2009/07/30 14:54:03 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2009/07/30 14:57:34 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2009/07/30 14:59:34 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2009/07/30 15:09:49 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2009/07/30 15:10:09 ossec-rootcheck: INFO: Starting rootcheck scan. 2009/07/30 15:14:33 ossec-rootcheck: INFO: Ending rootcheck scan. 2009/07/31 00:00:22 ossec-monitord: No previous md5 checksum found: '/logs/archives/2009/Jul/ossec-archive-29.log.sum'. Starting over. 2009/07/31 00:00:22 ossec-monitord: No previous sha1 checksum found: '/logs/archives/2009/Jul/ossec-archive-29.log.sum'. Starting over. 2009/07/31 00:00:22 ossec-monitord: No previous md5 checksum found: '/logs/alerts/2009/Jul/ossec-alerts-29.log.sum'. Starting over. 2009/07/31 00:00:22 ossec-monitord: No previous sha1 checksum found: '/logs/alerts/2009/Jul/ossec-alerts-29.log.sum'. Starting over. 2009/07/31 00:00:22 ossec-monitord: No previous md5 checksum found: '/logs/firewall/2009/Jul/ossec-firewall-29.log.sum'. Starting over. 2009/07/31 00:00:22 ossec-monitord: No previous sha1 checksum found: '/logs/firewall/2009/Jul/ossec-firewall-29.log.sum'. Starting over. 2009/07/31 11:14:52 ossec-rootcheck: INFO: Starting rootcheck scan. 2009/07/31 11:19:44 ossec-rootcheck: INFO: Ending rootcheck scan.
smime.p7s
Description: S/MIME Cryptographic Signature
