On Fri, Aug 2, 2013 at 12:57 PM, David Blanton <[email protected]> wrote: > > What I meant by quotation was how the 2nd email was being sent to my gmail. > OSSEC HIDS Notification. > 2013 Aug 02 11:00:19 > > Received From: (test-bnc3-reston) 172.16.23.220->/bnc2/testing/ > data/logs/reduce.0802 > > Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" > Portion of the log(s): > > 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) > FAILED: -340 > > > > --END OF NOTIFICATION > > > > > > > OSSEC HIDS > > <[email protected]> Fri, Aug 2, 2013 at 11:00 AM > To: [email protected], [email protected] > Reply | Reply to all | Forward | Print | Delete | Show original > - Hide quoted text - > > OSSEC HIDS Notification. > 2013 Aug 02 11:00:19 > > Received From: (test-bnc3-reston) > 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 > > Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" > Portion of the log(s): > > 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) > FAILED: -340 > > > > --END OF NOTIFICATION > > > You were correct on the duplicate errors, here are the same errors duplicated > within alerts.log > > ** Alert 1375455619.51212: mail - bnc3reduce > 2013 Aug 02 11:00:19 (test-bnc3-reston) > 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 > Rule: 100042 (level 12) -> 'FAILED 340: Efective PKZIP archive' > 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) > FAILED: -340 > > ** Alert 1375455619.51501: mail - bnc3reduce > 2013 Aug 02 11:00:19 (test-bnc3-reston) > 172.16.23.220->/bnc2/testing/data/logs/reduce.0802 > Rule: 100042 (level 12) -> 'FAILED 340: Efective PKZIP archive' > 99704-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) > FAILED: -340 > > # ps -ef | grep ossec > root 3181 23984 0 12:55 pts/1 00:00:00 grep ossec > ossecm 21620 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-csyslogd > ossecm 21624 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-maild > root 21628 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-execd > ossec 21632 1 0 Aug01 ? 00:00:13 /opt/ossec/bin/ossec-analysisd > root 21636 1 0 Aug01 ? 00:00:00 > /opt/ossec/bin/ossec-logcollector > ossecr 21642 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-remoted > ossecr 21643 1 0 Aug01 ? 00:00:18 /opt/ossec/bin/ossec-remoted > root 21650 1 0 Aug01 ? 00:00:15 /opt/ossec/bin/ossec-syscheckd > ossec 21654 1 0 Aug01 ? 00:00:00 /opt/ossec/bin/ossec-monitord > > There are two remoted's running. > > However I cannot diagnose which one is the one I should kill. When I stop > ossec, everything shuts off, and when I start it, they both start up. > > Is it safe to kill each remoted pid manually? > >
It's possible to have multiple remoted processes depending on your configuration. Do the logs originate on the server or an agent? > > > On Friday, August 2, 2013 11:30:57 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Aug 2, 2013 at 11:19 AM, David Blanton >> <[email protected]> wrote: >> >> >> >> >No, but agents don't do anything with alerts so that shouldn't surprise >> >> > anyone >> >> >> >> Where should I be looking to address this issue? I'm not seeing duplicate >> >> maild pids on my server and ossec.conf is error free. >> > >> > >> > It seems that during email alerts - the original alert is sent, then the >> > duplicate alert is in 'quotations'/so it's a copy. Is this a feature built >> > into OSSEC? >> > >> >> That doesn't sound like a feature. It also doesn't make sense. Where >> in your example are these quotations? >> >> Is there a timestamp for these log messages? Are you sure they aren't >> duplicated in the log file? Are there multiple ossec-agentd processes >> running on the agent? Multipe logcollector processes? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
