Hi Dan,
I figured this out. There seems to be a bug in the source code for
ossec-reportd.
*Short explanation:* The structure r_filter is not initialized in reports.c
*Detailed explanation:*
In the file 'report.c' a call is made to os_ReportdStart() passing in the
struct 'r_filter'.
r_filter has a 'show_alerts' flag which determines whether the log dump is
generated in the report.
The r_filter structure is initialized in reports-config.c:Read_CReports().
Read_CReports is called from ReadConfig() which is called by monitord (and a
few other binaries).
It seems that r_filter is only initialized if there is a reporting
configuration set in the ossec.conf file and that too only from monitord.
The reason we're seeing it work on some machines and not others is that the
uninitialized variable may be equating to true in some cases.
To temporarily fix the issue, I have added the line
r_filter->show_alerts=1;
to report.c at line 194, that is just above the line
/* the real stuff now */
os_ReportdStart(&r_filter);
I've tested and this works now on my test env.
Regards,
Chris
On Wed, Dec 15, 2010 at 11:03 AM, dan (ddp) <[email protected]> wrote:
> The only debug idea I had was strace, but that's a lot of information
> that I don't know how to read.
>
> On Wed, Dec 15, 2010 at 10:57 AM, Christopher Moraes
> <[email protected]> wrote:
> > Hi Dan,
> > I ran a few more tests, this time on 3 servers.
> > I first tested by copying the same alert file to the machines. Then I
> > noticed that each alert points to the full path of the original log file.
> > Since that path was valid only on 1 machine, I then tested by generating
> > the alert file on each machine and running the reportd command.
> > Results -
> > 1. RHEL 5.4 running ossec 2.4.1 with user 'root' - Report contains full
> log
> > dump
> > 2. Ubuntu 10.10 running ossec 2.5.1 with user 'root' - Report contains
> full
> > log dump
> > 3. RHEL 5.5 running ossec 2.5.1 with user 'root' or with sudo - Report
> > contains only the summary.
> > The only other difference is #3 is a 'production' box. I'm wondering if
> it
> > could have some additional security that is preventing the log dump being
> > generated.
> > Is there any way to debug what reportd is doing? I can't find a debug
> log
> > level for reportd in internal_ossec.conf.
> >
> >
> > On Wed, Dec 15, 2010 at 10:37 AM, dan (ddp) <[email protected]> wrote:
> >>
> >> I'm having the opposite issue, centos 5 works fine and the ubuntu
> >> system doesn't show the log dump. The log file was created on the
> >> centos machine, and I transferred it to the ubuntu.
> >> I'm not sure what else to do at the moment. Definitely odd.
> >>
> >
>
