On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]> wrote:
> That leaves only a memory / buffer overflow kind of error . If it only
> happened once I would not sweat it.
> It is also "possible" that the log data got corrupted in transit (look at
> netstat -s for host and client interfaces)
> If it repeats, then I would relook at the logs, possibly with a different
> tool.
> Binary data in a log file can hide from editors so cat, grep and strings are
> better tools.
> I think it is unlikely that OSSEC bug can cause this but you could
> re-install as a last resort.
>
>
Or it could be part of the keep alive messages in OSSEC:
(from src/logcollector/logcollector.c)
char *rand_keepalive_str(char *dst, int size)
{
static const char text[] = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789"
"!...@#$%^&*()_+-=;'[],./?";
int i, len = rand() % (size - 10);
strncpy(dst, "--MARK--: ", 12);
for ( i = 10; i < len; ++i )
{
dst[i] = text[rand() % (sizeof text - 1)];
}
dst[i] = '\0';
return dst;
}
> On 12/02/2010 04:06 PM, Andre Pawlowski wrote:
>>
>> I don't find this log entry in any of my logs. That means that there was
>> no syslog message with this text. Smart didn't detect anything strange
>> either.
>>
>> Andre Pawlowski
>>
>> -------------------------------------------------------------------
>>
>> Poor is the pupil who does not surpass his master.
>> -Leonardo da Vinci
>>
>> On 12/02/2010 07:54 PM, loyd.darby wrote:
>>
>>>
>>> It means that a syslog message had one of these words in it:
>>> core_dumped|failure|error|attack|bad |illegal
>>> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
>>> MARK and the string of characters is actually part of the message and it
>>> is likely a disk error.
>>> It definitely should be looked at.
>>>
>>> On 12/02/2010 12:10 PM, dan (ddp) wrote:
>>>
>>>>
>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]>
>>>> wrote:
>>>>
>>>>
>>>>>
>>>>> Hi list,
>>>>>
>>>>> I've got a strange error message from my ossec server that I don't
>>>>> understand:
>>>>>
>>>>> OSSEC HIDS Notification.
>>>>> 2010 Dec 02 09:48:40
>>>>>
>>>>> Received From: kokyt0s->ossec-keepalive
>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
>>>>> system."
>>>>> Portion of the log(s):
>>>>>
>>>>> --MARK--:
>>>>>
>>>>> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rv2...@t2#w)Z(k'UQp9]MyDERrOrG[-,e...@b3rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --END OF NOTIFICATION
>>>>>
>>>>>
>>>>> Has anyone an idea what this means?
>>>>>
>>>>> Regards
>>>>>
>>>>> --
>>>>>
>>>>> Andre Pawlowski
>>>>>
>>>>> -------------------------------------------------------------------
>>>>>
>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
>>>>> -Albert Einstein
>>>>>
>>>>>
>>>>>
>>>>
>>>> I think it's "normal" (although I didn't think these messages were
>>>> going to be logged). It's definitely nothing to worry about. I think
>>>> the random text in the message is just padding to make the keep alives
>>>> indistinguishable from other messages based on packet size.
>>>>
>>>>
>>>
>>>
>
> --
> R. Loyd Darby, OSSIM-OCSE
> Project Manager DOC/NOAA/NMFS
> Infrastructure coordinator
> Southeast Fisheries Science Center
> 305-361-4297
>
>
