What I meant by quotation was how the 2nd email was being sent to my gmail. OSSEC HIDS Notification. 2013 Aug 02 11:00:19
Received From: (test-bnc3-reston) 172.16.23.220->/bnc2/testing/ data/logs/reduce.0802 Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" Portion of the log(s): 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 --END OF NOTIFICATION [image: Add star]<https://mail.google.com/mail/h/8ttet8wd821g/?&redir=?%26v%3Dc%26d%3Du%26dsqt%3D1%26n%3D4%26th%3D1403f977d4fbd733&a=st&at=AF6bupOfd8dqmMMHfabd4KaHsnaP5nTi2g&m=1403f8b6092b7108#m_1403f8b6092b7108> *OSSEC HIDS* <https://mail.google.com/mail/h/8ttet8wd821g/?&v=c&d=u&dsqt=1&n=6&th=1403f977d4fbd733#m_1403f8b6092b7108><[email protected]> Fri, Aug 2, 2013 at 11:00 AM To: [email protected], [email protected] Reply<https://mail.google.com/mail/h/8ttet8wd821g/?&v=b&rm=1403f8b6092b7108&pv=cv&th=1403f977d4fbd733&cs=r>| Reply to all<https://mail.google.com/mail/h/8ttet8wd821g/?&v=b&rm=1403f8b6092b7108&pv=cv&th=1403f977d4fbd733&cs=ra>| Forward<https://mail.google.com/mail/h/8ttet8wd821g/?&v=b&rm=1403f8b6092b7108&pv=cv&th=1403f977d4fbd733&cs=f>| Print<https://mail.google.com/mail/h/8ttet8wd821g/?&v=pt&dsqt=1&msg=1403f8b6092b7108>| Delete<https://mail.google.com/mail/h/8ttet8wd821g/?&redir=?%26v%3Dc%26d%3Du%26dsqt%3D1%26n%3D4%26th%3D1403f977d4fbd733&a=dm&at=AF6bupOfd8dqmMMHfabd4KaHsnaP5nTi2g&m=1403f8b6092b7108>| Show original<https://mail.google.com/mail/h/8ttet8wd821g/?&v=om&th=1403f8b6092b7108> - Hide quoted text -<https://mail.google.com/mail/h/8ttet8wd821g/?&v=c&d=u&n=4&th=1403f977d4fbd733#m_1403f8b6092b7108> OSSEC HIDS Notification. 2013 Aug 02 11:00:19 Received From: (test-bnc3-reston) 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" Portion of the log(s): 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 --END OF NOTIFICATION You were correct on the duplicate errors, here are the same errors duplicated within alerts.log ** Alert 1375455619.51212: mail - bnc3reduce 2013 Aug 02 11:00:19 (test-bnc3-reston) 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 Rule: 100042 (level 12) -> 'FAILED 340: Efective PKZIP archive' 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 ** Alert 1375455619.51501: mail - bnc3reduce 2013 Aug 02 11:00:19 (test-bnc3-reston) 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 Rule: 100042 (level 12) -> 'FAILED 340: Efective PKZIP archive' 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 # ps -ef | grep ossec root 3181 23984 0 12:55 pts/1 00:00:00 grep ossec ossecm 21620 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-csyslogd ossecm 21624 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-maild root 21628 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-execd ossec 21632 1 0 Aug01 ? 00:00:13 /opt/ossec/bin/ossec-analysisd root 21636 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-logcollector ossecr 21642 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-remoted ossecr 21643 1 0 Aug01 ? 00:00:18 /opt/ossec/bin/ossec-remoted root 21650 1 0 Aug01 ? 00:00:15 /opt/ossec/bin/ossec-syscheckd ossec 21654 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-monitord There are two remoted's running. However I cannot diagnose which one is the one I should kill. When I stop ossec, everything shuts off, and when I start it, they both start up. Is it safe to kill each remoted pid manually? On Friday, August 2, 2013 11:30:57 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Aug 2, 2013 at 11:19 AM, David Blanton > <[email protected] <javascript:>> wrote: > >> > >> >No, but agents don't do anything with alerts so that shouldn't > surprise > >> > anyone > >> > >> Where should I be looking to address this issue? I'm not seeing > duplicate > >> maild pids on my server and ossec.conf is error free. > > > > > > It seems that during email alerts - the original alert is sent, then > the > > duplicate alert is in 'quotations'/so it's a copy. Is this a feature > built > > into OSSEC? > > > > That doesn't sound like a feature. It also doesn't make sense. Where > in your example are these quotations? > > Is there a timestamp for these log messages? Are you sure they aren't > duplicated in the log file? Are there multiple ossec-agentd processes > running on the agent? Multipe logcollector processes? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
