Try to run: # /var/ossec/bin/ossec-logcollector -V
To see if you have the right version installed (2.5.1). And on the configuration you have to set like Dan (ddp) said: "multi-line: <number of lines>" Thanks, On Thu, Dec 2, 2010 at 4:54 PM, Shaikat Majumdar <[email protected]> wrote: > I tried the solution you suggested and it does not rectify the problem. > Still getting the same error message on the ossec.conf file. > > The other question I had on this can I specify a range for the number of > lines for an entry, (for example: let's say 1 to 50), in the case of a > multi-line log_format. > > > That does not solve > On 12/2/10 2:06 PM, dan (ddp) wrote: >> >> It was pointed out to me on IRC that the<log_format> should include >> the number of lines expected in an event. >> For example if each entry is 10 lines long: >> <log_format>multi-line: 10</log_format> >> >> On Wed, Dec 1, 2010 at 3:43 PM, Shaikat Majumdar<[email protected]> >> wrote: >> >>> >>> I have tested the multi-line stuff by using the forensic analysis feature >>> of >>> log files (cat /tmp/foo.log | /var/ossec/bin/ossec-logtest -a) and it >>> works. >>> That is what led me to believe this might be a non-issue or maybe a >>> syntactical issue. >>> >>> Here is the config section in the ossec.conf file which is causing the >>> problem. >>> >>> <agent_config name="foo"> >>> <localfile> >>> <log_format>multi-line</log_format> >>> <location>/tmp/foo.log</location> >>> </localfile> >>> </agent_config> >>> >>> And, this is the error message: >>> >>> ossec-config(1230): ERROR: Invalid element in the configuration: >>> 'agent_config'. >>> ossec-config(1202): ERROR: Configuration error at >>> '/var/ossec/etc/ossec.conf'. Exiting. >>> ossec-testrule(1202): ERROR: Configuration error at >>> '/var/ossec/etc/ossec.conf'. Exiting. >>> >>> On Wed, Dec 1, 2010 at 2:23 PM, dan (ddp)<[email protected]> wrote: >>> >>>> >>>> On Wed, Dec 1, 2010 at 1:18 PM, Shaikat<[email protected]> wrote: >>>> >>>>> >>>>> Yes I get the same error. >>>>> >>>>> Also, I want to configure my agents centrally so that is why I am >>>>> using the agent.conf file. >>>>> >>>>> >>>> >>>> Understood, it was just a test. I haven't tried the multiline stuff yet. >>>> >>>> >>>>> >>>>> However, as I stated above the error does not prevent the agent from >>>>> restarting. >>>>> Maybe this is a non-issue. I just wanted to clarify whether this error >>>>> message can be safely ignored. >>>>> >>>>> >>>>> >>>> >>>> It looks like a real error to me. Can you post the config section >>>> that's failing (you can obfuscate the logfile location if you want)? >>>> >>>> >>>>> >>>>> On Dec 1, 12:36 pm, "dan (ddp)"<[email protected]> wrote: >>>>> >>>>>> >>>>>> On Wed, Dec 1, 2010 at 12:29 PM, Shaikat<[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks for answering my question. >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Another related question to the agent.conf file. As you can see I am >>>>>>> using the multi-line log_format introduced in version 2.5.1. >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> When I try to recycle an agent I get this error: >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Started ossec-syscheckd... >>>>>>> Completed. >>>>>>> Killing ossec-logcollector .. >>>>>>> Killing ossec-syscheckd .. >>>>>>> Killing ossec-agentd .. >>>>>>> Killing ossec-execd .. >>>>>>> OSSEC HIDS v2.5.1 Stopped >>>>>>> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... >>>>>>> Started ossec-execd... >>>>>>> Started ossec-agentd... >>>>>>> 2010/11/30 17:55:39 ossec-config(1235): ERROR: Invalid value for >>>>>>> element 'log_format': multi-line. >>>>>>> 2010/11/30 17:55:39 ossec-config(1202): ERROR: Configuration error at >>>>>>> '/var/ossec/etc/shared/agent.conf'. Exiting.Started ossec- >>>>>>> logcollector... >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Both the server and the client are running the same version of OSSEC >>>>>>> HIDS viz., version 2.5.1. >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Inspite of the above error the agent starts up fine. >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Any idea what this error message means and if it is not an error but >>>>>>> just a warning is there anyway this message can be suppressed ? >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks again, >>>>>>> Shaikat >>>>>>> >>>>>> >>>>>> If you put that part of the configuration in the ossec.conf do you >>>>>> still get the error? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On Dec 1, 12:16 pm, "dan (ddp)"<[email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> 2010/12/1 Shaikat Majumdar<[email protected]>: >>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> I have created a agent.conf file for centralized agent >>>>>>>>> configuration >>>>>>>>> (/var/ossec/etc/shared/agent.conf). The file is attached. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> I am trying to test OSSEC rules/config before deploying these >>>>>>>>> changes. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> So I followed the instructions posted on the link >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://www.ossec.net/main/manual/creating-a-separated-directory-for-t... >>>>>>>>>> >>>>>>>>> >>>>>>>>> and then tried to run the following command. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> I created the directory ossectest under "~/sandbox" instead of >>>>>>>>> using the >>>>>>>>> "/tmp" directory. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> /var/ossec/bin/ossec-logtest -D ~/sandbox/ossectest/ -c >>>>>>>>> ~/sandbox/ossectest/etc/shared/agent.conf >>>>>>>>> >>>>>> >>>>>> >>>>>>>> >>>>>>>> You need to use etc/ossec.conf with logtest, it doesn't check on the >>>>>>>> agent.conf. >>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> 2010/12/01 12:07:50 ossec-config(1230): ERROR: Invalid element in >>>>>>>>> the >>>>>>>>> configuration: 'agent_config'. >>>>>>>>> 2010/12/01 12:07:50 ossec-testrule(1202): ERROR: Configuration >>>>>>>>> error at >>>>>>>>> '/home/smajumdar/sandbox/ossectest/etc/shared/agent.conf'. >>>>>>>>> Exiting. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> Can someone explain what this error message means and how it can >>>>>>>>> be >>>>>>>>> rectified ?? >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> I am using OSSEC HIDS v2.5.1 >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> /var/ossec/bin/ossec-logtest -V >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> OSSEC HIDS v2.5.1 - Trend Micro Inc. >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> This program is free software; you can redistribute it and/or >>>>>>>>> modify >>>>>>>>> it under the terms of the GNU General Public License (version 2) >>>>>>>>> as >>>>>>>>> published by the Free Software Foundation. For more details, go to >>>>>>>>> http://www.ossec.net/main/license/ >>>>>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Shaikat Majumdar >>>>>>>>> Millburn Ridgefield Corporation >>>>>>>>> >>> >>> > >
