Hello Folks, I am at wits' end with an issue: I have written up an OSSEC rule that detects whether a Zimbra mail server is acting up.
There is no issue with the syntax of the rule: it passes the ossec- logtest with flying colors. The rule works 100% when I deliberately insert for testing purposes into /opt/zimbra/log/audit.log the log entry that the rule is designed to detect: the rule immediately shows up in the OSSEC GUI as: 2011 Jul 07 13:06:06 Rule Id: 100111 level: 7 Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ audit.log Zimbra startup detected 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 release=20110624102500 builddate=20110624-1027 buildhost=zre- rhel4.eng.vmware.com <-- test by V. For reference, the dummy log entry is 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 release=20110624102500 builddate=20110624-1027 buildhost=zre- rhel4.eng.vmware.com <-- test by V. and is stored in a file v.4.txt It is inserted into /opt/zimbra/log/audit.log by running the command cat /tmp/v.4.txt >> /opt/zimbra/log/audit.log My problem is that when I insert the same log entry (after adjusting the time) into /opt/zimbra/log/mailbox.log, the OSSEC GUI does not show the entry at all. (1) I checked in /var/ossec/logs/ossec.log that OSSEC on the mail server is actually writing to /opt/zimbra/log/mailbox.log: 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra/log/mailbox.log'. 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra/log/mailbox.log'. Lest you think that OSSEC somehow stopped reading mailbox.log, I checked that OSSEC is currently reading /opt/zimbra/log/audit.log: 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra /log/audit.log'. 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: '/ opt/zimbra /log/audit.log'. Note that the date and times for mailbox.log and audit.log. (2) I checked the file permissions for audit.log and mailbox.log - they match: [root@mailserver log]# ls -l mailbox.log audit.log -rw-r----- 1 zimbra zimbra 2586778 Jul 7 15:35 audit.log -rw-r----- 1 zimbra zimbra 94811342 Jul 7 15:35 mailbox.log Let's summarize: the logs files have identical permissions, the OSSEC agent on the mail server reports that is reading both /opt/zimbra/log/ audit.log and /opt/zimbra/log/mailbox.log> Yet, the OSSEC GUI shows the rule being triggered when the dummy log entry is inserted in audit.log but not triggered when the same rule is inserted in mailbox.log. I am losing my mental grip: what's going on? For reference, decoder <decoder name="log4j"> <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d </prematch> </decoder> Rule:: <decoded_as>log4j</decoded_as> <description>Log4J Container</description> </rule> <rule id="100102" level="0"> <if_sid>100101</if_sid> <regex>ERROR|FATAL|INFO|WARN \S+ [\S+] \S+ - </regex> <description>filter out the message categories</description> </rule> <rule id="100111" level="7"> <if_sid>100102</if_sid> <regex>buildhost=</regex> <description>Zimbra startup detected</description> </rule> Again, I am at my wits' ends: this is a situation where it should work, must work and yet doesn't work. Do you have any ideas for diagnostics, further investigation or resolution? Thanks, Vietnhi Phuvan
