On Fri, Sep 13, 2013 at 11:38 AM, Leonel Algaré <[email protected]> wrote: > Hello! > > Sorry for revive this thread but. i'm having de same problem... cdb list > dont update when I made changes in list. > > if at the moment any solution? > >
Depends on what the problem is. What steps have you taken? What is your configuration? What are you doing to test? > > El jueves, 19 de enero de 2012 16:35:48 UTC-3, dan (ddpbsd) escribió: >> >> Sorry for the delay. I'm seeing the same behavior. I'll try to look at >> it later, but between moving and the code complexity it might be >> beyond me right now. >> >> On Tue, Jan 10, 2012 at 9:42 AM, Andy Jack <[email protected]> >> wrote: >> > Hello Dan. ossec-makelists does report that it is making a new .cdb: >> > >> > * File lists/employees.cdb need to be updated >> > >> > The longest I was waiting was 3-5 minutes. >> > >> > On a related note, I was trying to figure out if there was a format for >> > comments in the text version of the list. ossec-makelists appeared to >> > put lines with leading '#' into the .cdb file (according to strings). I >> > guess I could come up with a simple Makefile to manage comments though. >> > >> > Thanks, Andy >> > >> > On Mon, Jan 09, 2012 at 08:33:59PM -0500, dan (ddp) wrote: >> >> On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack <[email protected]> >> >> wrote: >> >> > Hello list! So I'm working on a cdb list of users so there can be >> >> > rules >> >> > that differentiate when a user on the list vs. not on the list logs >> >> > in, >> >> > as described here: >> >> > >> >> > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html >> >> > >> >> > After confirming that the list is being read and the two rules are >> >> > being >> >> > alerted correctly (one for on-the-list, and the other for >> >> > not-on-the-list), I tried modifying the text list and re-running >> >> > bin/ossec-makelists to see if the alerts change when a user is taken >> >> > off >> >> > the list: >> >> > >> >> > 1) user1 and user2, are on the list, user3 is not. run >> >> > bin/ossec-makelists. run ossec-control start. >> >> > 2) logging in as either user1 or user2 alerts the on-the-list rule. >> >> > logging in as user3 alerts the not-on-the-list rule. >> >> > 3) modify the list, removing the line for user2. re-run >> >> > bin/ossec-makelists. leave ossec running as-is. >> >> > 4) logging in as user2 alerts the on-the-list rule still. >> >> > >> >> > According to the URL above, updating the cdb file should invalidate >> >> > the >> >> > mmap and make the analysis daemon re-read the db from disk as needed, >> >> > but this doesn't appear to be happening. Could I have something >> >> > configured incorrectly? Permissions issue perhaps? Or do I have to >> >> > wait a period of time for ossec to notice or purge a cache or >> >> > something? >> >> > >> >> > root@pegasus:/var/ossec# ls -ld /var/ossec >> >> > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec >> >> > root@pegasus:/var/ossec# ls -ld /var/ossec/lists >> >> > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists >> >> > root@pegasus:/var/ossec# ls -l /var/ossec/lists >> >> > total 8 >> >> > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees >> >> > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb >> >> > >> >> > I just tried adding user4 to the list and remaking the cdb, and ossec >> >> > still alerts as though user4 is not on the list. The behavior seems >> >> > to >> >> > indicate that ossec isn't re-reading the updated lists. I guess >> >> > restarting ossec is a workaround but that's a pain for every list >> >> > modification. >> >> > >> >> > Thanks, >> >> > Andy >> >> >> >> I don't know the answer off hand, but how long do you wait? >> >> Does ossec-makelists indicate that it's rebuilding the list? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
