Hi Dan, I enabled debugging and I dont seem to get a whole lot more logs out of it. I had a few examples happen over the weekend. The issue is always for a particular rule number that I have set to null route 30 minutes. I did enable debugging from ossec-control enable debug.
I reviewed the ossec.log and the only commonality I see so far is that there are a lot of these messages at the time of the issue for both cases. 2013/03/16 04:38:13 ossec-remoted: DEBUG Sending file 'merged.mg' to agent. I do have 373 agents talking to the server. Any idea how to enable execd debug logging? On Wednesday, March 13, 2013 4:49:10 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Mar 13, 2013 at 6:47 PM, BP9906 <[email protected] <javascript:>> > wrote: > > Well thats the problem, I dont get any log entry on the OSSEC server AR > log > > so I think I need a debug config enabled to verify it is triggering an > AR. > > What config setting do I set to see that? > > > > > You can run "/var/ossec/bin/ossec-control enable debug" on the server, > and I think setting debug values to 2 in internal_options.conf might > work as well. > > But if you know it's working intermittently, you have to know what log > events are not triggering AR and which ones are. > > > > On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Mar 13, 2013 at 4:43 PM, BP9906 <[email protected]> wrote: > >> > Good point. > >> > For clarity, my AR is set for server execution. It then launches a > shell > >> > script that then loops through a set of servers in a LB pool to do a > >> > null > >> > route on those servers. > >> > I would then see the AR in the Ossec Server AR log and client AR log. > >> > I dont even see the AR log entry on the Ossec Server AR log. > >> > > >> > >> Can you provide your configuration, log samples that do work, and log > >> samples that do not work? > >> > >> > > >> > On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: > >> >> > >> >> are you checking the right logs and do you have the ARs set for the > >> >> right > >> >> place? Sometimes people forget the log entries will be in agents log > >> >> files, > >> >> not the SERVER. > >> >> > >> >> > >> >> On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: > >> >>> > >> >>> Hello, > >> >>> I recently upgraded my ossec server to 2.7 and everything is > working > >> >>> great. The weird issue I'm having is that the active responses > >> >>> sometimes > >> >>> dont fire. > >> >>> Its very intermittent because I get email spam for my Rule that is > >> >>> supposed to trigger a null-route. I check the server's > >> >>> active-responses.log > >> >>> and it shows no entries, though previously in the same day (couple > >> >>> hours > >> >>> ago) I see entries for the same rule number. > >> >>> > >> >>> Any suggestions on helping determine why the ossec server couldnt > >> >>> spawn > >> >>> my active response for the rule? > >> >>> > >> >>> Thank you, > >> >>> Brian > >> >>> > >> >>> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
