Interesting. I'll give that a shot tomorrow to see if it works for me. *also cc'ing ossec-dev so the information makes it there as well
On Wed, Dec 15, 2010 at 4:08 PM, Christopher Moraes <[email protected]> wrote: > Hi Dan, > I figured this out. There seems to be a bug in the source code for > ossec-reportd. > Short explanation: The structure r_filter is not initialized in reports.c > Detailed explanation: > In the file 'report.c' a call is made to os_ReportdStart() passing in the > struct 'r_filter'. > r_filter has a 'show_alerts' flag which determines whether the log dump is > generated in the report. > The r_filter structure is initialized in reports-config.c:Read_CReports(). > Read_CReports is called from ReadConfig() which is called by monitord (and a > few other binaries). > It seems that r_filter is only initialized if there is a reporting > configuration set in the ossec.conf file and that too only from monitord. > The reason we're seeing it work on some machines and not others is that the > uninitialized variable may be equating to true in some cases. > To temporarily fix the issue, I have added the line > r_filter->show_alerts=1; > to report.c at line 194, that is just above the line > /* the real stuff now */ > os_ReportdStart(&r_filter); > I've tested and this works now on my test env. > Regards, > Chris > > > > On Wed, Dec 15, 2010 at 11:03 AM, dan (ddp) <[email protected]> wrote: >> >> The only debug idea I had was strace, but that's a lot of information >> that I don't know how to read. >> >> On Wed, Dec 15, 2010 at 10:57 AM, Christopher Moraes >> <[email protected]> wrote: >> > Hi Dan, >> > I ran a few more tests, this time on 3 servers. >> > I first tested by copying the same alert file to the machines. Then I >> > noticed that each alert points to the full path of the original log >> > file. >> > Since that path was valid only on 1 machine, I then tested by >> > generating >> > the alert file on each machine and running the reportd command. >> > Results - >> > 1. RHEL 5.4 running ossec 2.4.1 with user 'root' - Report contains full >> > log >> > dump >> > 2. Ubuntu 10.10 running ossec 2.5.1 with user 'root' - Report contains >> > full >> > log dump >> > 3. RHEL 5.5 running ossec 2.5.1 with user 'root' or with sudo - Report >> > contains only the summary. >> > The only other difference is #3 is a 'production' box. I'm wondering if >> > it >> > could have some additional security that is preventing the log dump >> > being >> > generated. >> > Is there any way to debug what reportd is doing? I can't find a debug >> > log >> > level for reportd in internal_ossec.conf. >> > >> > >> > On Wed, Dec 15, 2010 at 10:37 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> I'm having the opposite issue, centos 5 works fine and the ubuntu >> >> system doesn't show the log dump. The log file was created on the >> >> centos machine, and I transferred it to the ubuntu. >> >> I'm not sure what else to do at the moment. Definitely odd. >> >> >> > > >
