Re: [ossec-list] strange error message from ossec-keepalive

Thu, 02 Dec 2010 13:58:36 -0800

That leaves only a memory / buffer overflow kind of error . If it only happened once I would not sweat it. It is also "possible" that the log data got corrupted in transit (look at netstat -s for host and client interfaces) If it repeats, then I would relook at the logs, possibly with a different tool. Binary data in a log file can hide from editors so cat, grep and strings are better tools. I think it is unlikely that OSSEC bug can cause this but you could re-install as a last resort. 

On 12/02/2010 04:06 PM, Andre Pawlowski wrote:

I don't find this log entry in any of my logs. That means that there was
no syslog message with this text. Smart didn't detect anything strange
either.

Andre Pawlowski

-------------------------------------------------------------------

Poor is the pupil who does not surpass his master.
        -Leonardo da Vinci

On 12/02/2010 07:54 PM, loyd.darby wrote:

   

It means that a syslog message had one of these words in it:
core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
MARK and the string of characters is actually part of the message and it
is likely a disk error.
It definitely should be looked at.

On 12/02/2010 12:10 PM, dan (ddp) wrote:

     

On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]>   wrote:


       

Hi list,

I've got a strange error message from my ossec server that I don't
understand:

OSSEC HIDS Notification.
2010 Dec 02 09:48:40

Received From: kokyt0s->ossec-keepalive
Rule: 1002 fired (level 2) ->   "Unknown problem somewhere in the
system."
Portion of the log(s):

--MARK--:
&pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rv2...@t2#w)Z(k'UQp9]MyDERrOrG[-,e...@b3rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU




   --END OF NOTIFICATION


Has anyone an idea what this means?

Regards

--

Andre Pawlowski

-------------------------------------------------------------------

Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
         -Albert Einstein



         

I think it's "normal" (although I didn't think these messages were
going to be logged). It's definitely nothing to worry about. I think
the random text in the message is just padding to make the keep alives
indistinguishable from other messages based on packet size.


       

     


--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297























					Reply via email to