Can you show the logs from the server please.
Sure, but I have it running in debug mode, so it's pretty verbose. The
last page is shown below, but if you want me to search for a specific
pattern, please let me know.
Thanks,
Scott
2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 1"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 checking file: /etc/fedora-release
2010/12/02 08:57:16 starting new file: /etc/fedora-release
2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur).
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 2"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 checking file: /etc/fedora-release
2010/12/02 08:57:16 starting new file: /etc/fedora-release
2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur).
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 3"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 checking file: /etc/fedora-release
2010/12/02 08:57:16 starting new file: /etc/fedora-release
2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur).
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 4"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 checking file: /etc/fedora-release
2010/12/02 08:57:16 starting new file: /etc/fedora-release
2010/12/02 08:57:16 pattern: ^Fedora matches Fedora release 9 (Sulphur).
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^Fedora && r:release 5"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on
check_rc_unixaudit
2010/12/02 08:57:16 checking file: /etc/redhat-release
2010/12/02 08:57:16 starting new file: /etc/redhat-release
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^Red Hat Enterprise Linux \S+ release
5"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 checking file: /etc/redhat-release
2010/12/02 08:57:16 starting new file: /etc/redhat-release
2010/12/02 08:57:16 Buf == "Fedora release 9 (Sulphur)"
2010/12/02 08:57:16 Pattern == "r:^CentOS && r:release 5.2"
2010/12/02 08:57:16 pt_result == 0 and full_negate == 0
2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Going into check_rc_dev
2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on check_rc_dev
2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Going into check_rc_sys
2010/12/02 08:57:16 ossec-rootcheck: DEBUG: Starting on check_rc_sys
2010/12/02 08:58:27 ossec-rootcheck: DEBUG: Going into check_rc_pids
2010/12/02 09:16:43 ossec-rootcheck: DEBUG: Going into check_rc_ports
2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Going into check_open_ports
2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Going into check_rc_if
2010/12/02 09:17:07 ossec-rootcheck: DEBUG: Completed with all checks.
2010/12/02 09:17:12 ossec-rootcheck: INFO: Ending rootcheck scan.
2010/12/02 09:17:12 ossec-rootcheck: DEBUG: Leaving run_rk_check
I tried the following greps:
[r...@ackbar logs]# cat ossec.log | grep -i skywarp
[r...@ackbar logs]# cat ossec.log | grep -i wombat
[r...@ackbar logs]# cat ossec.log | grep -i agent
2010/12/02 07:54:02 Buf == "; user_agent="PHP""
2010/12/02 07:54:02 Buf == "; Define the User-Agent string"
2010/12/02 07:54:02 Buf == "; user_agent="PHP""
2010/12/02 08:57:09 Buf == "; Define the User-Agent string"
2010/12/02 08:57:09 Buf == "; user_agent="PHP""
2010/12/02 08:57:09 Buf == "; Define the User-Agent string"
2010/12/02 08:57:09 Buf == "; user_agent="PHP""
