Yes, this message causing error... My version of ossec is 2.7.1 developpement (2013-06-27) because i tested on 2.7.1 beta too (crash too)... Version stable 2.7 option custom log not implemented... But this message whose crash ossec, can passed multi times, and for reason not explicated crash after X times passed OK... It's very strange ... Finaly, i found solution for work with OSSIM, i passed by syslog send and modified OSSIM regex agent. Thx
Le lundi 15 juillet 2013 14:37:45 UTC+2, dan (ddpbsd) a écrit : > > On Mon, Jul 15, 2013 at 3:37 AM, <[email protected] <javascript:>> > wrote: > > Hi, > > > > I installed OSSEC (ver 2.7.1 beta, and 2.7 dev) on CENTOS 5.9. I actived > log > > custom for analys by OSSIM. After many minutes, OSSEC crash with error > log > > (i actived internal debug level 2) : > > 2013/07/15 08:51:42 apache, == DEBUG: groupe OS_CustomLog() > > 2013/07/15 08:51:42 DEBUG: AVif OS_CustomLog() > > 2013/07/15 08:51:42 DEBUG: if OS_CustomLog() > > 2013/07/15 08:51:42 AV - Alert - "1373871102" --> RID: "31410"; RL: "3"; > RG: > > "apache,"; RC: "PHP Warning message."; USER: "None"; SRCIP: > > "XX.XXX.XXX.XXX"; HOSTNAME: "(XXXX) > > XXX.XX.XX.XXX->/var/log/httpd/error_log"; LOCATION: "(XXXX) > > XXX.XX.XX.XXX->/var/log/httpd/error_log"; EVENT: "[INIT][Mon Jul 15 > 08:51:41 > > 2013] [error] [client XX.XXX.XXX.XXX] PHP Warning: Cannot modify header > > information - headers already sent in Unknown on line 0, referer: > > > http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END]";; > > > > == DEBUG: logprint OS_CustomLog() > > 2013/07/15 08:51:42 DEBUG: FLush OS_CustomLog() > > 2013/07/15 08:51:42 ossec-remoted: socketerr (not available). > > 2013/07/15 08:51:42 ossec-remoted(1210): ERROR: Queue > '/queue/ossec/queue' > > not accessible: 'Connection refused'. > > 2013/07/15 08:51:42 ossec-logcollector: socketerr (not available). > > 2013/07/15 08:51:42 ossec-logcollector(1224): ERROR: Error sending > message > > to queue. > > > > I added debug1() function in code analysisd/alerts/log.c - function void > > OS_CustomLog(Eventinfo *lf,char* format) { > > ....... > > debug1("%s == DEBUG: logprint OS_CustomLog()",log); > > fprintf(_aflog,log); > > fprintf(_aflog,"\n"); > > debug1("DEBUG: FLush OS_CustomLog()"); // CRASH AFTER FFLUSH function > when > > crash arrived > > fflush(_aflog); > > debug1("DEBUG: AVif OS_CustomLog()"); > > debug1("%s == DEBUG: logprint2 OS_CustomLog()",log); > > //if(log!=NULL) > > //{ > > debug1("DEBUG: if OS_CustomLog()"); > > os_free(log); > > log=NULL; > > // } > > debug1("DEBUG: return OS_CustomLog()"); // NEVER PRINTED when crash > arrived > > return; > > } > > > > OSSEC work good many minutes and send log by function OS_CustomLog > > information in log alert.log. And after a longer or shorter time, ossec > > crash in OS_CustomLog causing stop all services ossec because queue not > > accessible.... > > > > I think a problem could come of a forget free memory.... But i cannot > > find... > > Thx for help! > > > > Lionel > > > > Is this the log message you're having trouble with: > [Mon Jul 15 08:51:41 2013] [error] [client XX.XXX.XXX.XXX] PHP > Warning: Cannot modify header information - headers already sent in > Unknown on line 0, referer: > > http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END] > > > It's working fine for me. What version of OSSEC are you running? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
