On Fri, Aug 2, 2013 at 2:19 PM, David Blanton <[email protected]> wrote: > > The duplicate logs I mentioned are coming from agents. > > Taking a look at server activity, I see replication, however, the alerts are > not the *exact* same time, each pair being a few seconds apart and the alerts > are formatted slightly different. > > Here would be some examples: > > 8/2/13 > 2:04:26.000 PM > > Aug 2 14:04:26 172.16.23.18 Aug 2 14:04:22 ossecserver ossec: Alert Level: > 3; Rule: 5402 - Successful sudo to ROOT executed; Location: > ossecserver->/var/log/secure; user: root; Aug 2 14:04:22 reston-cacti sudo: > root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l > > host=172.16.23.18 Options| > sourcetype=ossec Options| > source=udp:8000 Options > > 2 » 8/2/13 > 2:04:22.000 PM > > ** Alert 1375466662.97575: - syslog,sudo > 2013 Aug 02 14:04:22 ossecserver->/var/log/secure > Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > User: root > Aug 2 14:04:22 ossecserver sudo: root : TTY=pts/3 ; > PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l > > host=ossecserver.com Options| > sourcetype=ossec_alerts Options| > source=/opt/ossec/logs/alerts/alerts.log Options > > 3 » 8/2/13 > 1:59:26.000 PM > > Aug 2 13:59:26 172.16.23.18 Aug 2 13:59:22 ossecserver ossec: Alert Level: > 3; Rule: 5402 - Successful sudo to ROOT executed; Location: > ossecserver->/var/log/secure; user: root; Aug 2 13:59:22 reston-cacti sudo: > root : TTY=pts/3 ; PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l > > host=172.16.23.18 Options| > sourcetype=ossec Options| > source=udp:8000 Options > > 4 » 8/2/13 > 1:59:22.000 PM > > ** Alert 1375466362.95917: - syslog,sudo > 2013 Aug 02 13:59:22 ossecserver->/var/log/secure > Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > User: root > Aug 2 13:59:22 ossecserver sudo: root : TTY=pts/3 ; > PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l > > host=ossecserver.com Options| > sourcetype=ossec_alerts Options| > source=/opt/ossec/logs/alerts/alerts.log Options > > The format will look a little different because they are copied from splunk, > however the replication on the ossecserver for the server seems to be the > "host=" at the bottom; one alert uses the name of the ossec server, the other > the ip address. I'm not sure if that is relevent to diagnosis. > > Alerts generated from agents, seem to bounce back and forth between using the > ip address and the actual hostname. One set of replication will be from the > ip address, the next from the hostname. This is only visible through Splunk's > alerts. From the alerts file: > > 2013 Aug 02 14:09:22 ossecserver->/var/log/secure > Aug 2 14:09:22 ossecserver sudo: root : TTY=pts/3 ; > PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l > 2013 Aug 02 14:14:22 ossecserver->/var/log/secure > Aug 2 14:14:22 ossecserver sudo: root : TTY=pts/3 ; > PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/opt/ossec/bin/agent_control -l >
These log messages have different timestamps. I'm unconvinced they are the same event. Are the log messages also being sent to the sever via syslog? Are the log files configured twice in the agent's localfile configurations? If you turn the logall option on for the server, are there 2 instances of the log messages in archives.log? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
