fortunately size does not matter. :) OSSEC does not have any limits on the log file size. I have tested OSSEC with 1TB log files and everything worked fine.
On Thu, Jul 7, 2011 at 8:39 PM, blacklight <[email protected]> wrote: > I'd like to add that mailbox.log is a rotating log and that we > schedule this log to rotate every night. Also note that mailbox.log is > about 40 x larger than audit.log > > > On Jul 7, 5:33 pm, blacklight <[email protected]> wrote: > > I am using the same decoder for both log files (that's log4j above) > > > > I did paste the log entry into a text file, whose contents I then > > piped through a Linux command into the target log, be it audit.log or > > mailbox.log. I mad sure that the log entry was free of tabs. What gets > > me is that the zimbra server spontaneously restarted the zimbra > > service and generated its own startup log entry in mailbox.log. Had > > the zimbra server written the startup log entry into audit.log, I am > > 97&-100% confident that OSSEC wiould have detected the zimbra startup > > log entry. Unfortunately, the zimbra server writes this log entry into > > mailbox.log and OSSEC is not detecting this entry - That's what gets > > me :) > > > > Vietnhi Phuvan > > > > On Jul 7, 4:38 pm, Christopher Moraes <[email protected]> wrote: > > > > > > > > > > > > > > > > > Just guessing here, but the issue could be the use of spaces v/s tabs. > > > > > Which decoders are being used for mailbox.log and audit.log? > > > > > I faced a similar issue when I copied and pasted a log into a test file > (the > > > tabs got copied over). However when I ran a script to insert the logs > into > > > a log file, the shell script implicitly replaced the tabs with spaces, > and > > > the event did not generate an alert. > > > > > HTH. > > > > > On Thu, Jul 7, 2011 at 3:52 PM, blacklight <[email protected]> wrote: > > > > Hello Folks, > > > > > > I am at wits' end with an issue: I have written up an OSSEC rule that > > > > detects whether a Zimbra mail server is acting up. > > > > > > There is no issue with the syntax of the rule: it passes the ossec- > > > > logtest with flying colors. The rule works 100% when I deliberately > > > > insert for testing purposes into /opt/zimbra/log/audit.log the log > > > > entry that the rule is designed to detect: the rule immediately shows > > > > up in the OSSEC GUI as: > > > > > > 2011 Jul 07 13:06:06 Rule Id: 100111 level: 7 > > > > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ > > > > audit.log > > > > Zimbra startup detected > > > > 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 > > > > release=20110624102500 builddate=20110624-1027 buildhost=zre- > > > > rhel4.eng.vmware.com <-- test by V. > > > > > > For reference, the dummy log entry is > > > > > > 2011-07-07 13:06:38,180 INFO [main] [] misc - version=7.1.1_GA_3213 > > > > release=20110624102500 builddate=20110624-1027 buildhost=zre- > > > > rhel4.eng.vmware.com <-- test by V. > > > > > > and is stored in a file v.4.txt > > > > > > It is inserted into /opt/zimbra/log/audit.log by running the command > > > > > > cat /tmp/v.4.txt >> /opt/zimbra/log/audit.log > > > > > > My problem is that when I insert the same log entry (after adjusting > > > > the time) into /opt/zimbra/log/mailbox.log, the OSSEC GUI does not > > > > show the entry at all. > > > > > > (1) I checked in /var/ossec/logs/ossec.log that OSSEC on the mail > > > > server is actually writing to /opt/zimbra/log/mailbox.log: > > > > > > 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: > '/ > > > > opt/zimbra/log/mailbox.log'. > > > > 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: > '/ > > > > opt/zimbra/log/mailbox.log'. > > > > > > Lest you think that OSSEC somehow stopped reading mailbox.log, I > > > > checked that OSSEC is currently reading /opt/zimbra/log/audit.log: > > > > > > 2011/04/14 21:56:36 ossec-logcollector(1950): INFO: Analyzing file: > '/ > > > > opt/zimbra /log/audit.log'. > > > > 2011/06/25 08:17:18 ossec-logcollector(1950): INFO: Analyzing file: > '/ > > > > opt/zimbra /log/audit.log'. > > > > > > Note that the date and times for mailbox.log and audit.log. > > > > > > (2) I checked the file permissions for audit.log and mailbox.log - > > > > they match: > > > > > > [root@mailserver log]# ls -l mailbox.log audit.log > > > > -rw-r----- 1 zimbra zimbra 2586778 Jul 7 15:35 audit.log > > > > -rw-r----- 1 zimbra zimbra 94811342 Jul 7 15:35 mailbox.log > > > > > > Let's summarize: the logs files have identical permissions, the OSSEC > > > > agent on the mail server reports that is reading both > /opt/zimbra/log/ > > > > audit.log and /opt/zimbra/log/mailbox.log> Yet, the OSSEC GUI shows > > > > the rule being triggered when the dummy log entry is inserted in > > > > audit.log but not triggered when the same rule is inserted in > > > > mailbox.log. I am losing my mental grip: what's going on? > > > > > > For reference, > > > > > > decoder > > > > > > <decoder name="log4j"> > > > > <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d </prematch> > > > > </decoder> > > > > > > Rule:: > > > > > > <decoded_as>log4j</decoded_as> > > > > <description>Log4J Container</description> > > > > </rule> > > > > > > <rule id="100102" level="0"> > > > > <if_sid>100101</if_sid> > > > > <regex>ERROR|FATAL|INFO|WARN \S+ [\S+] \S+ - </regex> > > > > <description>filter out the message categories</description> > > > > </rule> > > > > > > <rule id="100111" level="7"> > > > > <if_sid>100102</if_sid> > > > > <regex>buildhost=</regex> > > > > <description>Zimbra startup detected</description> > > > > </rule> > > > > > > Again, I am at my wits' ends: this is a situation where it should > > > > work, must work and yet doesn't work. Do you have any ideas for > > > > diagnostics, further investigation or resolution? > > > > > > Thanks, > > > > > > Vietnhi Phuvan >
