On Tue, Jul 16, 2013 at 2:51 AM, <[email protected]> wrote:
> My config file is by default, i just added costum log in ossec.conf:
I am still unable to reproduce the crash.
> <global>
> <email_notification>no</email_notification>
> <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
> "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP:
> "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
> "[INIT]$FULLLOG[END]"; </custom_alert_output>
> </global>
>
> My server ossec get all log of client ossec of other server (agent - config
> by default).
> On my server ossec i add decoder and rules for auditd & tomoyo...
> My file etc/shared/agent.conf:
> <agent_config>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/audit/audit_custom.log</location>
> </localfile>
>
> <localfile>
> <log_format>multi-line:4</log_format>
> <location>/var/log/tomoyo/reject_003.log</location>
> </localfile>
>
> <localfile>
> <log_format>multi-line:4</log_format>
> <location>/var/log/tomoyo/reject_002.log</location>
> </localfile>
> </agent_config>
>
> In file decoder.xml:
> I delete line:
>
> <decoder name="auditd">
> <prematch>^type=</prematch>
> </decoder>
>
> <!-- SELinux -->
> <decoder name="auditd-selinux">
> <parent>auditd</parent>
> <prematch offset="after_parent">^AVC </prematch>
> <regex offset="after_parent">^(AVC)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for
> pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+
> tclass=\S+$</regex>
> <order>action,id,status,extra_data</order>
> </decoder>
>
> <!-- syscall -->
> <decoder name="auditd-syscall">
> <parent>auditd</parent>
> <prematch offset="after_parent">^SYSCALL </prematch>
> <regex offset="after_parent">^(SYSCALL)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
> <order>action,id,status,extra_data</order>
> </decoder>
> <decoder name="auditd-sockaddr">
> <parent>auditd</parent>
> <prematch offset="after_parent">^SOCKADDR </prematch>
> <regex offset="after_parent">^(SOCKADDR)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): saddr="(\.+)"</regex>
> <order>action,id,extra_data</order>
> </decoder>
> <!-- config -->
> <decoder name="auditd-config">
> <parent>auditd</parent>
> <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
> <regex offset="after_parent">^(CONFIG_CHANGE)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+"
> path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
> <order>action,id,extra_data</order>
> </decoder>
>
> <!-- path (will only decode if name is not null)-->
> <decoder name="auditd-path">
> <parent>auditd</parent>
> <prematch offset="after_parent">^PATH </prematch>
> <regex offset="after_parent">^(PATH)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)"
> inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
> <order>action,id,extra_data</order>
> </decoder>
>
> <!-- user-related -->
> <decoder name="auditd-user">
> <parent>auditd</parent>
> <regex offset="after_parent">^(USER_\S+)
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+
> auid=\d+|</regex>
> <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user
> pid=\d+ uid=\d+ auid=\d+</regex>
> <order>action,id</order>
> </decoder>
>
> <decoder name="auditd-user">
> <parent>auditd</parent>
> <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+,
> addr=(\S+), terminal=\S+$</regex>
> <order>user,extra_data,srcip</order>
> </decoder>
>
> <decoder name="auditd-user">
> <parent>auditd</parent>
> <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)"
> exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
> <order>user,extra_data,srcip,status</order>
> </decoder>
>
> <decoder name="auditd-user">
> <parent>auditd</parent>
> <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)"
> \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+
> res=(\S+)\)'$</regex>
> <order>user,extra_data,srcip,status</order>
> </decoder>
>
> <decoder name="auditd-user">
> <parent>auditd</parent>
> <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)"
> \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
> <order>extra_data,srcip,status</order>
> </decoder>
>
>
> I added line:
>
> <decoder name="auditd">
> <prematch>^type=</prematch>
> </decoder>
> <decoder name="auditd-connect">
> <parent>auditd</parent>
> <program_name>auditd-connect</program_name>
> <prematch offset="after_parent">info_connect</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)" key="info_connect"
> SOCKADDR saddr=(\S+) saddr_i
> p=(\S+) saddr_port=(\d+) saddr_family=AF_INET</regex>
> <order>id,status,user,action,extra_data,dstip,dstport</order>
> </decoder>
> <decoder name="auditd-bind">
> <parent>auditd</parent>
> <program_name>auditd-bind</program_name>
> <prematch offset="after_parent">info_bind</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)" key="info_bind"
> SOCKADDR saddr=(\S+) saddr_ip=(
> \S+) saddr_port=(\d+) saddr_family=AF_INET</regex>
> <order>id,status,user,action,extra_data,dstip,dstport</order>
> </decoder>
> <decoder name="auditd-ptrace">
> <parent>auditd</parent>
> <program_name>auditd-ptrace</program_name>
> <prematch offset="after_parent">info_ptrace</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_ptrace"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-suid">
> <parent>auditd</parent>
> <program_name>auditd-suid</program_name>
> <prematch offset="after_parent">info_execve_suid</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_execve_suid\d+"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-sgid">
> <parent>auditd</parent>
> <program_name>auditd-sgid</program_name>
> <prematch offset="after_parent">info_execve_sgid</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_execve_sgid\d+"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-shadow">
> <parent>auditd</parent>
> <program_name>auditd-shadow</program_name>
> <prematch offset="after_parent">info_shadow_watch</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_shadow_watch"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-etc">
> <parent>auditd</parent>
> <program_name>auditd-etc</program_name>
> <prematch offset="after_parent">info_etc_write</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_etc_write" \.* type=PATH msg=audit\(\
> d\d\d\d\d\d\d\d\d\d.\d\d\d:\d+\): item=\d+ name="(\.+)" inode=\d+ dev=\S+
> mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
> <order>id,status,user,action,extra_data</order>
> </decoder>
> <decoder name="auditd-module">
> <parent>auditd</parent>
> <program_name>auditd-module</program_name>
> <prematch offset="after_parent">modules_change</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="modules_change"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-hostname">
> <parent>auditd</parent>
> <program_name>auditd-hostname</program_name>
> <prematch offset="after_parent">hostname_change</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="hostname_change"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-delete">
> <parent>auditd</parent>
> <program_name>auditd-delete</program_name>
> <prematch offset="after_parent">info_delete_user</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="info_delete_user"</regex>
> <order>id,status,user,action</order>
> </decoder>
> <decoder name="auditd-erreurperm">
> <parent>auditd</parent>
> <program_name>auditd-erreurperm</program_name>
> <prematch offset="after_parent">erreur_perm</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)" key="erreur_perm"
> \.* name="(\.*)" </regex>
> <order>id,status,user,action,extra_data</order>
> </decoder>
> <decoder name="auditd-erreuraccess">
> <parent>auditd</parent>
> <program_name>auditd-erreuraccess</program_name>
> <prematch offset="after_parent">erreur_access</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="erreur_access" \.* name="(\.*)" </regex>
> <order>id,status,user,action,extra_data</order>
> </decoder>
> <decoder name="auditd-erreurro">
> <parent>auditd</parent>
> <program_name>auditd-erreurro</program_name>
> <prematch offset="after_parent">erreur_lecture_seul</prematch>
> <regex offset="after_parent">^SYSCALL
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+
> success=\S+ exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+
> pid=(\d+) auid=\d+ uid=(\d+) gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+
> sgid=\d+ fsgid=\d+ tty=\.+ ses=\d+ comm="\S+" exe="(\.+)"
> key="erreur_lecture_seul" \.* name="(\.*)" </re
> gex>
> <order>id,status,user,action,extra_data</order>
> </decoder>
>
> <decoder name="tomoyo">
> <prematch>^#\d+/\d+/\d+ \d+:\d+:\d+# </prematch>
> </decoder>
> <decoder name="tomoyo_profile3">
> <parent>tomoyo</parent>
> <regex offset="after_parent">^profile=3 \.* pid=(\d+) \.* uid=(\d+) \.*
> \.kernel\. (\.*) (\.*)</regex>
> <order>status,user,action,extra_data</order>
> </decoder>
>
>
> IN my local_rules.xml
> </group> <!-- SYSLOG,LOCAL -->
> <group name="syslog,auditd,">
> <rule id="100101" level="10">
> <decoded_as>auditd</decoded_as>
> <match>erreur_lecture_seul</match>
> <group>access_denied</group>
> <description>AUDITD accès syscall
> write/creat/open/openat/truncate/ftruncate sur une ressource en lecture
> seule...</description>
> </rule>
> <rule id="100102" level="10">
> <decoded_as>auditd</decoded_as>
> <match>erreur_perm</match>
> <group>access_denied</group>
> <description>AUDITD accès syscall
> write/creat/open/openat/truncate/ftruncate refusé -> opération non
> permise...</description>
> </rule>
> <rule id="100103" level="10">
> <decoded_as>auditd</decoded_as>
> <match>erreur_access</match>
> <group>access_denied</group>
> <description>AUDITD accès syscall
> write/creat/open/openat/truncate/ftruncate refusé -> opération non
> permise</description>
> </rule>
> <rule id="100104" level="7">
> <decoded_as>auditd</decoded_as>
> <match>info_delete_user</match>
> <group>access_denied</group>
> <description>AUDITD utilisateur ayant utilisé le syscall
> unlink/unlinkat/rename/renameat</description>
> </rule>
> <rule id="100105" level="10">
> <decoded_as>auditd</decoded_as>
> <match>hostname_change</match>
> <group>access_denied</group>
> <description>AUDITD changement hostname</description>
> </rule>
> <rule id="100106" level="10">
> <decoded_as>auditd</decoded_as>
> <match>modules_change</match>
> <group>access_denied</group>
> <description>AUDITD changement des modules kernel</description>
> </rule>
> <rule id="100107" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_ptrace</match>
> <group>access_denied</group>
> <description>AUDITD utilisation de ptrace...</description>
> </rule>
> <rule id="100108" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_etc_write</match>
> <group>access_denied</group>
> <description>AUDITD ecriture dans /etc</description>
> </rule>
> <rule id="100109" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_shadow_watch</match>
> <group>access_denied</group>
> <description>AUDITD lecture sur fichier shadow</description>
> </rule>
> <rule id="100110" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_execve_sgid</match>
> <group>access_denied</group>
> <description>AUDITD exécution programme SGID</description>
> </rule>
> <rule id="100111" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_execve_suid</match>
> <group>access_denied</group>
> <description>AUDITD exécution programme SUID</description>
> </rule>
> <rule id="100112" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_bind</match>
> <group>access_denied</group>
> <description>AUDITD utilisation du syscall BIND sur socket
> AF_INET</description>
> </rule>
> <rule id="100113" level="10">
> <decoded_as>auditd</decoded_as>
> <match>info_connect</match>
> <group>access_denied</group>
> <description>AUDITD utilisation du syscall CONNECT sur socket
> AF_INET</description>
> </rule>
> </group>
> <group name="syslog,tomoyo,">
> <rule id="100201" level="10">
> <decoded_as>tomoyo</decoded_as>
> <match>profile=3</match>
> <group>access_denied</group>
> <description>TOMOYO accès sur un ressource refusé...</description>
> </rule>
> <rule id="100202" level="10">
> <decoded_as>tomoyo</decoded_as>
> <match>profile=2</match>
> <group>access_denied</group>
> <description>TOMOYO accès sur une ressource autorisé mais non
> connu...</description>
> </rule>
> </group>
>
>
> Le lundi 15 juillet 2013 17:35:59 UTC+2, dan (ddpbsd) a écrit :
>>
>> On Mon, Jul 15, 2013 at 9:54 AM, <[email protected]> wrote:
>> > Yes, this message causing error...
>> > My version of ossec is 2.7.1 developpement (2013-06-27) because i tested
>> > on
>> > 2.7.1 beta too (crash too)... Version stable 2.7 option custom log not
>> > implemented...
>> > But this message whose crash ossec, can passed multi times, and for
>> > reason
>> > not explicated crash after X times passed OK... It's very strange ...
>> > Finaly, i found solution for work with OSSIM, i passed by syslog send
>> > and
>> > modified OSSIM regex agent.
>> > Thx
>> >
>>
>> Are you using a custom log output format in ossec? If so, can you
>> share your config? Do you have custom rules/decoders that may be
>> affecting this that you can shre?
>>
>> > Le lundi 15 juillet 2013 14:37:45 UTC+2, dan (ddpbsd) a écrit :
>> >>
>> >> On Mon, Jul 15, 2013 at 3:37 AM, <[email protected]> wrote:
>> >> > Hi,
>> >> >
>> >> > I installed OSSEC (ver 2.7.1 beta, and 2.7 dev) on CENTOS 5.9. I
>> >> > actived
>> >> > log
>> >> > custom for analys by OSSIM. After many minutes, OSSEC crash with
>> >> > error
>> >> > log
>> >> > (i actived internal debug level 2) :
>> >> > 2013/07/15 08:51:42 apache, == DEBUG: groupe OS_CustomLog()
>> >> > 2013/07/15 08:51:42 DEBUG: AVif OS_CustomLog()
>> >> > 2013/07/15 08:51:42 DEBUG: if OS_CustomLog()
>> >> > 2013/07/15 08:51:42 AV - Alert - "1373871102" --> RID: "31410"; RL:
>> >> > "3";
>> >> > RG:
>> >> > "apache,"; RC: "PHP Warning message."; USER: "None"; SRCIP:
>> >> > "XX.XXX.XXX.XXX"; HOSTNAME: "(XXXX)
>> >> > XXX.XX.XX.XXX->/var/log/httpd/error_log"; LOCATION: "(XXXX)
>> >> > XXX.XX.XX.XXX->/var/log/httpd/error_log"; EVENT: "[INIT][Mon Jul 15
>> >> > 08:51:41
>> >> > 2013] [error] [client XX.XXX.XXX.XXX] PHP Warning: Cannot modify
>> >> > header
>> >> > information - headers already sent in Unknown on line 0, referer:
>> >> >
>> >> >
>> >> > http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END]";;
>> >> > == DEBUG: logprint OS_CustomLog()
>> >> > 2013/07/15 08:51:42 DEBUG: FLush OS_CustomLog()
>> >> > 2013/07/15 08:51:42 ossec-remoted: socketerr (not available).
>> >> > 2013/07/15 08:51:42 ossec-remoted(1210): ERROR: Queue
>> >> > '/queue/ossec/queue'
>> >> > not accessible: 'Connection refused'.
>> >> > 2013/07/15 08:51:42 ossec-logcollector: socketerr (not available).
>> >> > 2013/07/15 08:51:42 ossec-logcollector(1224): ERROR: Error sending
>> >> > message
>> >> > to queue.
>> >> >
>> >> > I added debug1() function in code analysisd/alerts/log.c - function
>> >> > void
>> >> > OS_CustomLog(Eventinfo *lf,char* format) {
>> >> > .......
>> >> > debug1("%s == DEBUG: logprint OS_CustomLog()",log);
>> >> > fprintf(_aflog,log);
>> >> > fprintf(_aflog,"\n");
>> >> > debug1("DEBUG: FLush OS_CustomLog()"); // CRASH AFTER FFLUSH
>> >> > function
>> >> > when
>> >> > crash arrived
>> >> > fflush(_aflog);
>> >> > debug1("DEBUG: AVif OS_CustomLog()");
>> >> > debug1("%s == DEBUG: logprint2 OS_CustomLog()",log);
>> >> > //if(log!=NULL)
>> >> > //{
>> >> > debug1("DEBUG: if OS_CustomLog()");
>> >> > os_free(log);
>> >> > log=NULL;
>> >> > // }
>> >> > debug1("DEBUG: return OS_CustomLog()"); // NEVER PRINTED when crash
>> >> > arrived
>> >> > return;
>> >> > }
>> >> >
>> >> > OSSEC work good many minutes and send log by function OS_CustomLog
>> >> > information in log alert.log. And after a longer or shorter time,
>> >> > ossec
>> >> > crash in OS_CustomLog causing stop all services ossec because queue
>> >> > not
>> >> > accessible....
>> >> >
>> >> > I think a problem could come of a forget free memory.... But i cannot
>> >> > find...
>> >> > Thx for help!
>> >> >
>> >> > Lionel
>> >> >
>> >>
>> >> Is this the log message you're having trouble with:
>> >> [Mon Jul 15 08:51:41 2013] [error] [client XX.XXX.XXX.XXX] PHP
>> >> Warning: Cannot modify header information - headers already sent in
>> >> Unknown on line 0, referer:
>> >>
>> >>
>> >> http://www.xxxxxx.xx/xxx?sa=t&rct=j&q=substrats%20xxxxxxxx%20des%20am%C3%A9liorations%20xxxxxxxxx%20dues%20%C3%A0%20l%27%C3%A9coute%20de%20la%20xxxxxxx&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fxxxx.xxxx.xx%2Fxxxxxxxx%2Fxxxx.htm&ei=xxxxxxxxxxxxxxxx_4DADQ&usg=xxxxxxxxxxxxxxxTxzmrX6GEhga_6lZLaw&bvm=bv.48705608,d.d2k[END]
>> >>
>> >> It's working fine for me. What version of OSSEC are you running?
>> >>
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >> >
>> >> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
