Hi Dan,
1. I have those errors on both client and server.
2. I have no more explicit errors in debug mode 1.
Looking at the source code I found that this message is actually a warning:
/* Avoiding wrong formats in the database. Alert about them */
if(buf[0] == '#' || buf[0] == ' ' || buf[0] == '\n')
{
merror("%s: Invalid entry in the integrity database: '%s'",
ARGV0, buf);
continue;
}
where buf is a buffer where data retrieved from database is kept.
Obviously, some or all of this data is not in a correct format as per the
condition above.
I guess I can assume that this is quite important..
Also, this is a problem as from 1432 lines in the log file, 1212 line are with
this error.
Any other ideas?
3. Where can I change the default behaviour of sending 3 alerts for an event
and then starts ignoring it?
Thanks,
Adi
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Wednesday, May 19, 2010 6:30 PM
To: [email protected]
Subject: Re: [ossec-list] analysisd: ERROR: Invalid syscheck message received.
On Wed, May 19, 2010 at 8:51 AM, Adi CHIRU <[email protected]> wrote:
> First, I stoped ossec daemons, emptied those files manually and start ossec
> daemons. Everything went find until a restarted ossec when that errors
> started to appear again.
>
> After this I stopped ossec, deleted the files completely and started ossec.
> The files were created and again, the errors in logs only appeared after I
> restarted ossec (usually because I change the configuration files).
>
> It seems that a solution would be to clear the database (those files in
> /var/ossec/queue/syscheck/ directory before each [re]start) but I am not sure
> that this would also be a good idea.
>
>
I'm stumped. Have you tried running the appropriate daemons in debug
mode (-d I think) to see if there are some more verbose logs that
might help? Are you getting log messages on the agent side as well as
the server?
> And one more question, if I may:
>
> Where can I find details about the logic in alerting behaviour of ossec? I am
> interested in an answear about what ossec does after an event of new file or
> deleted file or modified ownership on a file was found and an alert was
> issued; does ossec keep sending that alert each time it detects the event or
> after first detection the database is updated and so the next run will not
> detec the same event again?
>
> Thanks,
> Adi
>
>
>
Under the default configuration, I think ossec alerts up to 3 times
for modifications to a file. After that it ignores the changes until
you clear them from the database.
