Hi list, We're using OSSEC's process monitoring feature to run a heartbeat on our one-way systems, so that we can know if an agent dies without the manager needing to talk to the agent. But when we fielded the system, we started seeing some very weird behavior. Every so often, OSSEC gets an event's location data mixed up when entering the event into our MySQL database.
It's only happening with two servers, 4 and 6. Server 4 is HP-UX, while Server 6 is Windows 2003. We noticed this when we realized that Server 6 was reporting messages from the HP-UX command line, while Server 4 was reporting output from DOS. In other words, an event from Server 4 is being tagged with Server 6's location data in MySQL, and vice versa. Here's the "full_log" and "message" fields for some of the mixed-up events, as pulled from MySQL: Oct 21 18:13:35 svr4 ossec-hb: Heartbeat: 181335 ossec 2353 1 0 Oct 4 ? 0:23 /var/ossec/bin/ossec-agentd | (svr6) 192.168.1.74->"C\Program Filesossec-agentwin32_heartbeat.bat" ossec: output: `"C//Program Files/ossec-agent/win32_heartbeat.bat"`: Fri 10/21/2011 15:54 PM ossec-win-hb: Heartbeat: ossec-agent.exe 1944 0 4,808 K | (svr4) 192.168.1.54->/var/adm/syslog/syslog.log Oct 21 11:58:59 svr4 ossec-hb: Heartbeat: 115859 ossec 2353 1 0 Oct 4 ? 0:22 /var/ossec/bin/ossec-agentd | (svr6) 192.168.1.74->"C\Program Filesossec-agentwin32_heartbeat.bat" Oct 21 03:01:01 svr4 ossec-hb: Heartbeat: 030101 ossec 2353 1 0 Oct 4 ? 0:22 /var/ossec/bin/ossec-agentd | (svr6) 192.168.1.74->"C\Program Filesossec-agentwin32_heartbeat.bat" It happens infrequently and isn't reciprocal - we may see one Server 4 event tagged with Server 6 location data on Monday, none on Tuesday, three on Wednesday, and then the reverse on Thursday. We don't know yet if it's doing this with any other events than the heartbeats; we spotted these while tracking down an unrelated issue. What could possibly be causing OSSEC to confuse its location data like that? Thanks in advance! -Alisha Kloc
