(1) I restarted the OSSEC agent on the mailserver and the the log entry test on mailbox.log still failed.
(2) I got an inspiration and grepped alerts.log in the OSSEC server for mailbox.log, and I found recent activity: 2011 Jul 08 10:47:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log 2011 Jul 08 11:02:42 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log 2011 Jul 08 11:04:39 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log 2011 Jul 08 11:06:31 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log 2011 Jul 08 11:07:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log 2011 Jul 08 11:18:27 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ zimbra/log/mailbox.log This tells me that the OSSEC log-collector daemons are doing their job both on the OSSEC server host and on the OSSEC agent mailserver. I grepped for "buildhost" in alerts.log and found just one current instance, and that instance was a test entry inserted in audit.log. I am 100% sure that any instances that are archived from alerts.log will be test entries inserted in audit.log On Jul 8, 12:24 pm, blacklight <[email protected]> wrote: > 1. I'm assuming your audit.log file is on the same server as the > mailbox.log, right? - Correct. > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can you > test with another known alert and insert it into mailbox.log and > verify that OSSEC is alerting on it? > > The log entry in /var/log/secure below > > Jul 5 17:09:29 mailserver sshd[19395]: Accepted password for root > from ::ffff:69.38.173.162 port 45026 ssh2 > > is captured through our custom rule 105715 > > <rule id="105715" level="7"> > <if_sid>5715</if_sid> > <user>root</user> > <!-- match>^Accepted|authenticated.$</match --> > <description>SSHD authentication success.</description> > <group>authentication_success,</group> > </rule> > > OSSEC published the alert for this rule on 5 Jul 2011 after 17:09:29: > > 011 Jul 05 17:09:31 Rule Id: 105715 level: 7 > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/var/log/secure > Src IP: ::ffff:69.38.173.162 > SSHD authentication success. > Jul 5 17:09:29 flanders sshd[19395]: Accepted password for root > from ::ffff:69.38.173.162 port 45026 ssh2 > > I adjusted this log entry for time (11:41:29) and date (Jul 8), > appended "<-- test by V." as usual and inserted it into audit.log. > OSSEC published it almost immediately as expected: > > 011 Jul 08 11:41:18 Rule Id: 105715 level: 7 > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ > audit.log > Src IP: ::ffff:69.38.173.162 > SSHD authentication success. > Jul 8 11:41:29 flanders sshd[19395]: Accepted password for root > from ::ffff:69.38.173.162 port 45026 ssh2 <-- test by V. > > Unfortunately, OSSEC did not publish anything when I inserted the same > exact entry into mailbox.log > > It appears at this point that OSSEC is not publishing any alert > nothing from mailbox.log is being published. Since all OSSEC daemons > on the OSSEC server host are 100% operational > > [root@ossecserver ~]# service ossec status > ossec-monitord is running... > ossec-logcollector is running... > ossec-remoted is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > ossec-csyslogd is running... > > and so are the OSSEC daemons on the OSSEC agent host > > [root@mailserver log]# service ossec status > ossec-logcollector is running... > ossec-syscheckd is running... > ossec-agentd is running... > ossec-execd is running... > > it appears as if OSSEC agent is not reading anything from mailbox.log, > despite the ossec.log entry in the mailserver host claiming that the > OSSEC agent is analyzing both audit.log and mailbox.log as I had > mentioned yesterday. > > Both audit.log and mailbox.log are in the same /opt/zimbra/log > directory, by the way :) > > This situation is beyond weird, and I am tempted to restart the OSSEC > agent on on the mailserver, just for the hell of it. > > On Jul 8, 11:07 am, Christopher Moraes <[email protected]> wrote: > > > > > > > > > 1. I'm assuming your audit.log file is on the same server as the > > mailbox.log, right? > > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can you test > > with another known alert and insert it into mailbox.log and verify that > > OSSEC is alerting on it? > > > On Fri, Jul 8, 2011 at 10:50 AM, blacklight <[email protected]> wrote: > > > > I adjusted the time again and inserted the statement in audit.log: > > > > 2011-07-08 10:35:39,180 INFO [main] [] misc - version=7.1.1_GA_3213 > > > release=20110624102500 builddate=20110624-1027 buildhost=zre- > > > rhel4.eng.vmware.com <--- test by V. > > > > Note: OSSEC caught that event and published it as an alert, as seen > > > below
