On Mon, Jul 15, 2013 at 9:54 AM, <[email protected]> wrote: > Yes, this message causing error... > My version of ossec is 2.7.1 developpement (2013-06-27) because i tested on > 2.7.1 beta too (crash too)... Version stable 2.7 option custom log not > implemented... > But this message whose crash ossec, can passed multi times, and for reason > not explicated crash after X times passed OK... It's very strange ... > Finaly, i found solution for work with OSSIM, i passed by syslog send and > modified OSSIM regex agent. > Thx >
Are you using a custom log output format in ossec? If so, can you share your config? Do you have custom rules/decoders that may be affecting this that you can shre? > Le lundi 15 juillet 2013 14:37:45 UTC+2, dan (ddpbsd) a écrit : >> >> On Mon, Jul 15, 2013 at 3:37 AM, <[email protected]> wrote: >> > Hi, >> > >> > I installed OSSEC (ver 2.7.1 beta, and 2.7 dev) on CENTOS 5.9. I actived >> > log >> > custom for analys by OSSIM. After many minutes, OSSEC crash with error >> > log >> > (i actived internal debug level 2) : >> > 2013/07/15 08:51:42 apache, == DEBUG: groupe OS_CustomLog() >> > 2013/07/15 08:51:42 DEBUG: AVif OS_CustomLog() >> > 2013/07/15 08:51:42 DEBUG: if OS_CustomLog() >> > 2013/07/15 08:51:42 AV - Alert - "1373871102" --> RID: "31410"; RL: "3"; >> > RG: >> > "apache,"; RC: "PHP Warning message."; USER: "None"; SRCIP: >> > "XX.XXX.XXX.XXX"; HOSTNAME: "(XXXX) >> > XXX.XX.XX.XXX->/var/log/httpd/error_log"; LOCATION: "(XXXX) >> > XXX.XX.XX.XXX->/var/log/httpd/error_log"; EVENT: "[INIT][Mon Jul 15 >> > 08:51:41 >> > 2013] [error] [client XX.XXX.XXX.XXX] PHP Warning: Cannot modify header >> > information - headers already sent in Unknown on line 0, referer: >> > >> > http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END]";; >> > == DEBUG: logprint OS_CustomLog() >> > 2013/07/15 08:51:42 DEBUG: FLush OS_CustomLog() >> > 2013/07/15 08:51:42 ossec-remoted: socketerr (not available). >> > 2013/07/15 08:51:42 ossec-remoted(1210): ERROR: Queue >> > '/queue/ossec/queue' >> > not accessible: 'Connection refused'. >> > 2013/07/15 08:51:42 ossec-logcollector: socketerr (not available). >> > 2013/07/15 08:51:42 ossec-logcollector(1224): ERROR: Error sending >> > message >> > to queue. >> > >> > I added debug1() function in code analysisd/alerts/log.c - function void >> > OS_CustomLog(Eventinfo *lf,char* format) { >> > ....... >> > debug1("%s == DEBUG: logprint OS_CustomLog()",log); >> > fprintf(_aflog,log); >> > fprintf(_aflog,"\n"); >> > debug1("DEBUG: FLush OS_CustomLog()"); // CRASH AFTER FFLUSH function >> > when >> > crash arrived >> > fflush(_aflog); >> > debug1("DEBUG: AVif OS_CustomLog()"); >> > debug1("%s == DEBUG: logprint2 OS_CustomLog()",log); >> > //if(log!=NULL) >> > //{ >> > debug1("DEBUG: if OS_CustomLog()"); >> > os_free(log); >> > log=NULL; >> > // } >> > debug1("DEBUG: return OS_CustomLog()"); // NEVER PRINTED when crash >> > arrived >> > return; >> > } >> > >> > OSSEC work good many minutes and send log by function OS_CustomLog >> > information in log alert.log. And after a longer or shorter time, ossec >> > crash in OS_CustomLog causing stop all services ossec because queue not >> > accessible.... >> > >> > I think a problem could come of a forget free memory.... But i cannot >> > find... >> > Thx for help! >> > >> > Lionel >> > >> >> Is this the log message you're having trouble with: >> [Mon Jul 15 08:51:41 2013] [error] [client XX.XXX.XXX.XXX] PHP >> Warning: Cannot modify header information - headers already sent in >> Unknown on line 0, referer: >> >> http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END] >> >> It's working fine for me. What version of OSSEC are you running? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
