For point #2 - can you go into your alerts.log file and paste the entire alert message that is logged there. I'm interested in knowing what alert has been generated.
On Fri, Jul 8, 2011 at 3:10 PM, blacklight <[email protected]> wrote: > (1) I restarted the OSSEC agent on the mailserver and the the log > entry test on mailbox.log still failed. > > (2) I got an inspiration and grepped alerts.log in the OSSEC server > for mailbox.log, and I found recent activity: > > 2011 Jul 08 10:47:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > 2011 Jul 08 11:02:42 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > 2011 Jul 08 11:04:39 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > 2011 Jul 08 11:06:31 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > 2011 Jul 08 11:07:10 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > 2011 Jul 08 11:18:27 (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/ > zimbra/log/mailbox.log > > This tells me that the OSSEC log-collector daemons are doing their job > both on the OSSEC server host and on the OSSEC agent mailserver. > > I grepped for "buildhost" in alerts.log and found just one current > instance, and that instance was a test entry inserted in audit.log. I > am 100% sure that any instances that are archived from alerts.log will > be test entries inserted in audit.log > > > > On Jul 8, 12:24 pm, blacklight <[email protected]> wrote: > > 1. I'm assuming your audit.log file is on the same server as the > > mailbox.log, right? - Correct. > > > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can you > > test with another known alert and insert it into mailbox.log and > > verify that OSSEC is alerting on it? > > > > The log entry in /var/log/secure below > > > > Jul 5 17:09:29 mailserver sshd[19395]: Accepted password for root > > from ::ffff:69.38.173.162 port 45026 ssh2 > > > > is captured through our custom rule 105715 > > > > <rule id="105715" level="7"> > > <if_sid>5715</if_sid> > > <user>root</user> > > <!-- match>^Accepted|authenticated.$</match --> > > <description>SSHD authentication success.</description> > > <group>authentication_success,</group> > > </rule> > > > > OSSEC published the alert for this rule on 5 Jul 2011 after 17:09:29: > > > > 011 Jul 05 17:09:31 Rule Id: 105715 level: 7 > > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/var/log/secure > > Src IP: ::ffff:69.38.173.162 > > SSHD authentication success. > > Jul 5 17:09:29 flanders sshd[19395]: Accepted password for root > > from ::ffff:69.38.173.162 port 45026 ssh2 > > > > I adjusted this log entry for time (11:41:29) and date (Jul 8), > > appended "<-- test by V." as usual and inserted it into audit.log. > > OSSEC published it almost immediately as expected: > > > > 011 Jul 08 11:41:18 Rule Id: 105715 level: 7 > > Location: (flanders.inv.anglerlabs.com) 10.80.80.3->/opt/zimbra/log/ > > audit.log > > Src IP: ::ffff:69.38.173.162 > > SSHD authentication success. > > Jul 8 11:41:29 flanders sshd[19395]: Accepted password for root > > from ::ffff:69.38.173.162 port 45026 ssh2 <-- test by V. > > > > Unfortunately, OSSEC did not publish anything when I inserted the same > > exact entry into mailbox.log > > > > It appears at this point that OSSEC is not publishing any alert > > nothing from mailbox.log is being published. Since all OSSEC daemons > > on the OSSEC server host are 100% operational > > > > [root@ossecserver ~]# service ossec status > > ossec-monitord is running... > > ossec-logcollector is running... > > ossec-remoted is running... > > ossec-syscheckd is running... > > ossec-analysisd is running... > > ossec-maild is running... > > ossec-execd is running... > > ossec-csyslogd is running... > > > > and so are the OSSEC daemons on the OSSEC agent host > > > > [root@mailserver log]# service ossec status > > ossec-logcollector is running... > > ossec-syscheckd is running... > > ossec-agentd is running... > > ossec-execd is running... > > > > it appears as if OSSEC agent is not reading anything from mailbox.log, > > despite the ossec.log entry in the mailserver host claiming that the > > OSSEC agent is analyzing both audit.log and mailbox.log as I had > > mentioned yesterday. > > > > Both audit.log and mailbox.log are in the same /opt/zimbra/log > > directory, by the way :) > > > > This situation is beyond weird, and I am tempted to restart the OSSEC > > agent on on the mailserver, just for the hell of it. > > > > On Jul 8, 11:07 am, Christopher Moraes <[email protected]> wrote: > > > > > > > > > > > > > > > > > 1. I'm assuming your audit.log file is on the same server as the > > > mailbox.log, right? > > > > > 2. Is OSSEC alerting on anything in the mailbox.log file? Can you > test > > > with another known alert and insert it into mailbox.log and verify that > > > OSSEC is alerting on it? > > > > > On Fri, Jul 8, 2011 at 10:50 AM, blacklight <[email protected]> wrote: > > > > > > I adjusted the time again and inserted the statement in audit.log: > > > > > > 2011-07-08 10:35:39,180 INFO [main] [] misc - version=7.1.1_GA_3213 > > > > release=20110624102500 builddate=20110624-1027 buildhost=zre- > > > > rhel4.eng.vmware.com <--- test by V. > > > > > > Note: OSSEC caught that event and published it as an alert, as seen > > > > below >
