[ossec-list] Re: Dummy test log entry gets detected by OSSEC in one log but not in another log

Mon, 11 Jul 2011 07:58:35 -0700 

Feel free to blame my oustanding cut-and-paste work: :)

[root@flanders logs]# grep '2011/07/08 14:43:07' ossec.log
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
file '/var/log/httpd/*_log'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/*_log'.
2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
file '/var/lib/pgsql/pgstartup.log'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/lib/pgsql/pgstartup.log'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
opt/zimbra/log/mailbox.log'.  <---
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
opt/zimbra/log/audit.log'.    <------
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/zimbra.log'.
2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
file '/var/log/ha-log'.
2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/ha-log'.
2011/07/08 14:43:07 ossec-logcollector: INFO: Started (pid: 13385).


On Jul 11, 8:53 am, Christopher Moraes <[email protected]> wrote:
> The logs do not mention that audit.log or mailbox.log are being monitored.
>  Is there something missing from the logs?
>
>
>
>
>
>
>
> On Fri, Jul 8, 2011 at 4:27 PM, blacklight <[email protected]> wrote:
> > 2011/07/08 14:42:34 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2011/07/08 14:43:01 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
> > 2011/07/08 14:43:01 ossec-agentd(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
> > 2011/07/08 14:43:01 ossec-execd(1314): INFO: Shutdown received.
> > Deleting responses.
> > 2011/07/08 14:43:01 ossec-execd(1225): INFO: SIGNAL Received. Exit
> > Cleaning...
> > 2011/07/08 14:43:01 ossec-logcollector(1225): INFO: SIGNAL Received.
> > Exit Cleaning...
> > 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid
> > pattern: '/var/log/httpd/*_log'.
> > 2011/07/08 14:43:01 ossec-config(1121): ERROR: Glob error. Invalid
> > pattern: '/var/log/httpd/*_log'.
> > 2011/07/08 14:43:01 ossec-execd: INFO: Started (pid: 13377).
> > 2011/07/08 14:43:01 ossec-agentd(1410): INFO: Reading authentication
> > keys file.
> > 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning counter for agent
> > flanders.inv.anglerlabs.com: '17001:1586'.
> > 2011/07/08 14:43:01 ossec-agentd: INFO: Assigning sender counter:
> > 193495:6478
> > 2011/07/08 14:43:01 ossec-agentd: INFO: Started (pid: 13381).
> > 2011/07/08 14:43:01 ossec-agentd: INFO: Server IP Address:
> > 10.80.80.100
> > 2011/07/08 14:43:01 ossec-agentd: INFO: Trying to connect to server
> > (10.80.80.100:1514).
> > 2011/07/08 14:43:02 ossec-agentd(4102): INFO: Connected to the server
> > (10.80.80.100:1514).
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Started (pid: 13389).
> > 2011/07/08 14:43:05 ossec-rootcheck: INFO: Started (pid: 13389).
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/
> > etc'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/
> > bin'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/usr/
> > sbin'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/
> > bin'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/
> > sbin'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/var/
> > named'.
> > 2011/07/08 14:43:05 ossec-syscheckd: INFO: Monitoring directory: '/
> > root/.ssh'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/messages'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/secure'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/maillog'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/messages'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/secure'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/maillog'.
> > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/httpd/*_log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/httpd/*_log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/lib/pgsql/pgstartup.log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/lib/pgsql/pgstartup.log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > opt/zimbra/log/mailbox.log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > opt/zimbra/log/audit.log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/zimbra.log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:43:07 ossec-logcollector(1950): INFO: Analyzing file: '/
> > var/log/ha-log'.
> > 2011/07/08 14:43:07 ossec-logcollector: INFO: Started (pid: 13385).
> > 2011/07/08 14:43:37 ossec-syscheckd: INFO: Starting syscheck database
> > (pre-scan).
> > 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not
> > available, ignoring it: '/var/log/httpd/*_log'.
> > 2011/07/08 14:45:18 ossec-logcollector(1904): INFO: File not
> > available, ignoring it: '/var/lib/pgsql/pgstartup.log'.
> > 2011/07/08 14:45:18 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:46:25 ossec-syscheckd: WARN: Error opening directory: '/
> > var/named': No such file or directory
> > 2011/07/08 14:46:25 ossec-syscheckd: INFO: Finished creating syscheck
> > database (pre-scan completed).
> > 2011/07/08 14:47:30 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:48:25 ossec-syscheckd: INFO: Starting syscheck scan
> > (forwarding database).
> > 2011/07/08 14:49:41 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:51:52 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:52:17 ossec-agentd: INFO: Event count after '20000':
> > 4674605->3893616 (83%)
> > 2011/07/08 14:54:03 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:56:02 ossec-syscheckd: INFO: Ending syscheck scan
> > (forwarding database).
> > 2011/07/08 14:56:14 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 14:56:22 ossec-rootcheck: INFO: Starting rootcheck scan.
> > 2011/07/08 14:58:25 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 15:00:37 ossec-logcollector(1103): ERROR: Unable to open
> > file '/var/log/ha-log'.
> > 2011/07/08 15:02:46 ossec-agentd: INFO: Event count after '20000':
> > 4662410->3882584 (83%)
> > 2011/07/08 15:02:48 ossec-logcollector(1904): INFO: File not
> > available, ignoring it: '/var/log/ha-log'.
> > 2011/07/08 15:12:37 ossec-agentd: INFO: Event count after '20000':
> > 4761351->3974808 (83%)
> > 2011/07/08 15:21:29 ossec-agentd: INFO: Event count after '20000':
> > 4780493->3986800 (83%)
> > 2011/07/08 15:22:52 ossec-rootcheck: INFO: Ending rootcheck scan.
> > 2011/07/08 15:22:52 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2011/07/08 15:31:05 ossec-agentd: INFO: Event count after '20000':
> > 4763412->3977096 (83%)
> > 2011/07/08 15:33:15 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2011/07/08 15:38:15 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2011/07/08 15:40:46 ossec-agentd: INFO: Event count after '20000':
> > 4783612->3991336 (83%)
> > 2011/07/08 15:48:38 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2011/07/08 15:49:14 ossec-agentd: INFO: Event count after '20000':
> > 4755376->3967920 (83%)
> > 2011/07/08 15:53:38 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2011/07/08 15:59:02 ossec-agentd: INFO: Event count after '20000':
> > 4920194->4066320 (82%)
> > 2011/07/08 16:04:01 ossec-syscheckd: INFO: Ending syscheck scan.
> > 2011/07/08 16:08:02 ossec-agentd: INFO: Event count after '20000':
> > 4873936->4053080 (83%)
> > 2011/07/08 16:09:01 ossec-syscheckd: INFO: Starting syscheck scan.
> > 2011/07/08 16:16:54 ossec-agentd: INFO: Event count after '20000':
> > 4801849->4005736 (83%)
>
> > On Jul 8, 3:16 pm, Christopher Moraes <[email protected]> wrote:
> > > Ok, so it seem that there is some progress (in our analysis).
>
> > > Can you paste the full contents of the ossec.log file on agent (since the
> > > last restart).
>
> > > On Fri, Jul 8, 2011 at 12:24 PM, blacklight <[email protected]> wrote:
> > > > It appears at this point that OSSEC is not publishing any alert
> > > > nothing from mailbox.log is being published. Since all OSSEC daemons
> > > > on the OSSEC server host are 100% operational

Reply via email to