The duplicate logs I mentioned are coming from agents. Taking a look at server activity, I see replication, however, the alerts are not the *exact* same time, each pair being a few seconds apart and the alerts are formatted slightly different.
Here would be some examples: 1. *8/2/13 2:04:26.000 PM* Aug 2 14:04:26 172.16.23.18 Aug 2 14:04:22 ossecserver ossec: Alert Level: 3; Rule: 5402 - Successful sudo to ROOT executed; Location: ossecserver->/var/log/secure; user: root; Aug 2 14:04:22 reston-cacti sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l - *host*=*172.16.23.18* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *sourcetype*=*ossec* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *source*=*udp:8000* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> 2. *2* »<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> *8/2/13 2:04:22.000 PM* ** Alert 1375466662.97575: - syslog,sudo 2013 Aug 02 14:04:22 ossecserver->/var/log/secure Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Aug 2 14:04:22 *ossecserver* sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l - *host*=*ossecserver.com* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *sourcetype*=*ossec_alerts* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *source*=*/opt/ossec/logs/alerts/alerts.log* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> 3. *3* »<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> *8/2/13 1:59:26.000 PM* Aug 2 13:59:26 172.16.23.18 Aug 2 13:59:22 *ossecserver* ossec: Alert Level: 3; Rule: 5402 - Successful sudo to ROOT executed; Location: *ossecserver*->/var/log/secure; user: root; Aug 2 13:59:22 reston-cacti sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l - *host*=*172.16.23.18* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *sourcetype*=*ossec* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *source*=*udp:8000* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> 4. *4* »<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> *8/2/13 1:59:22.000 PM* ** Alert 1375466362.95917: - syslog,sudo 2013 Aug 02 13:59:22 *ossecserver*->/var/log/secure Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' User: root Aug 2 13:59:22 *ossecserver* sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l - *host*=*ossecserver**.com* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *sourcetype*=*ossec_alerts* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> | - *source*=*/opt/ossec/logs/alerts/alerts.log* Options<http://reston-cacti:8000/en-US/app/ossec/flashtimeline?q=search%20ossec_server%3D%22*%22%20eventtype%3D%22ossec%22%20NOT%20tag%3A%3Aeventtype%3Dnoise%20reporting_host%3D%22reston-cacti%22&earliest=1375380000&latest=1375466868#> The format will look a little different because they are copied from splunk, however the replication on the ossecserver for the server seems to be the "host=" at the bottom; one alert uses the name of the ossec server, the other the ip address. I'm not sure if that is relevent to diagnosis. Alerts generated from agents, seem to bounce back and forth between using the ip address and the actual hostname. One set of replication will be from the ip address, the next from the hostname. This is only visible through Splunk's alerts. From the alerts file: 2013 Aug 02 14:09:22 ossecserver->/var/log/secure Aug 2 14:09:22 ossecserver sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l 2013 Aug 02 14:14:22 ossecserver->/var/log/secure Aug 2 14:14:22 ossecserver sudo: root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; COMMAND=/opt/ossec/bin/agent_control -l -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
