On Tue, Nov 26, 2013 at 9:38 AM, Gonzalo Sanchez <[email protected]> wrote: > SELinux is not installed. I'm working with Debian 7. > > Checking permissions on /var/ossec/log/alerts on server A: > > drwxr-x--- 3 ossec ossec 4,0K nov 25 12:36 2013 > -rw-r----- 2 ossec ossec 15K nov 26 15:33 alerts.log > > > I think everything is correct, but problem persist. >
The permissions appear to be correct, but I am unable to recreate the problem. You might be able to trace the process to see what's blocking the access, but that's beyond me. If the block isn't logged somewhere, I'm at a loss as to how to track it down. > > > El martes, 26 de noviembre de 2013 14:05:47 UTC+1, dan (ddpbsd) escribió: >> >> On Mon, Nov 25, 2013 at 12:37 PM, Gonzalo Sanchez >> <[email protected]> wrote: >> > Hi, >> > >> > I added next lines on /var/ossec/ossec-agent/etc/ossec.conf on Server A >> > (hybrid mode): >> > >> > >> > <localfile> >> > <log_format>ossecalert</log_format> >> > <location>/var/ossec/logs/alerts/alerts.log</location> >> > </localfile> >> > >> > And I restarted ossec with ossec-control >> > Right >> > >> > Checking the /var/ossec/logs/ossec.log on server A, I detect the >> > following >> > log: >> > >> > 2013/11/25 18:24:22 ossec-logcollector (1950): INFO: Analyzing file: >> > '/var/ossec/logs/alerts/alerts.log' >> > >> > >> > Well, at this time, the PC User's ossec events sends to Server A, and >> > Server >> > A forwards to Server B >> > >> > But after a few minutes, the following log appears in >> > /var/ossec/logs/ossec.log on Server A: >> > >> > >> > 2013/11/25 18:30:53 ossec-logcollector (1904): INFO: File not available, >> > ignoring it: '/var/ossec/logs/alerts/alerts.log' >> > >> > Then PC User'Ossec events sends to Server A, but not forwarded to Server >> > B. >> > >> > It's strange because the file /var/ossec/logs/alerts/alerts.log exists >> > on >> > that path. >> > >> > Any idea? >> > >> >> Check permissions. Make sure something like SELinux isn't getting in the >> way. >> >> > thanks >> > >> > >> > El lunes, 25 de noviembre de 2013 14:32:49 UTC+1, dan (ddpbsd) escribió: >> >> >> >> On Mon, Nov 25, 2013 at 8:28 AM, Gonzalo Sanchez >> >> <[email protected]> wrote: >> >> > I don't understand you. >> >> > >> >> > Can you put here configuration's changes? >> >> >> >> Add a localfile entry for /var/ossec/logs/alerts/alerts/log. The log >> >> format should be ossecalert. >> >> >> >> > What files should I change? >> >> > >> >> >> >> /var/ossec/ossec-agent/etc/ossec.conf (I think, I don't have a hybrid >> >> system handy at the moment) >> >> >> >> > /var/ossec/etc/ossec.conf o /var/ossec/ossec-agent/etc/ossec.conf ? >> >> > >> >> >> >> /var/ossec/ossec-agent/etc/ossec.conf (I think, I don't have a hybrid >> >> system handy at the moment) >> >> >> >> > Thabks a lot >> >> > >> >> > El lunes, 25 de noviembre de 2013 14:16:10 UTC+1, dan (ddpbsd) >> >> > escribió: >> >> >> >> >> >> On Mon, Nov 25, 2013 at 6:56 AM, Gonzalo Sanchez >> >> >> <[email protected]> wrote: >> >> >> > Hi, >> >> >> > >> >> >> > This is server A's configuration: >> >> >> > >> >> >> > /var/ossec/etc/ossec.conf >> >> >> > >> >> >> > <ossec_config> >> >> >> > <global> >> >> >> > <email_notification>no</email_notification> >> >> >> > </global> >> >> >> > >> >> >> > <remote> >> >> >> > <connection>secure</connection> >> >> >> > </remote> >> >> >> > >> >> >> > <rules> >> >> >> > <include>rules_config.xml</include> >> >> >> > <include>pam_rules.xml</include> >> >> >> > <include>sshd_rules.xml</include> >> >> >> > <include>telnetd_rules.xml</include> >> >> >> > <include>syslog_rules.xml</include> >> >> >> > <include>arpwatch_rules.xml</include> >> >> >> > <include>symantec-av_rules.xml</include> >> >> >> > <include>symantec-ws_rules.xml</include> >> >> >> > <include>pix_rules.xml</include> >> >> >> > <include>named_rules.xml</include> >> >> >> > <include>smbd_rules.xml</include> >> >> >> > <include>vsftpd_rules.xml</include> >> >> >> > <include>pure-ftpd_rules.xml</include> >> >> >> > <include>proftpd_rules.xml</include> >> >> >> > <include>ms_ftpd_rules.xml</include> >> >> >> > <include>ftpd_rules.xml</include> >> >> >> > <include>hordeimp_rules.xml</include> >> >> >> > <include>roundcube_rules.xml</include> >> >> >> > <include>wordpress_rules.xml</include> >> >> >> > <include>cimserver_rules.xml</include> >> >> >> > <include>vpopmail_rules.xml</include> >> >> >> > <include>vmpop3d_rules.xml</include> >> >> >> > <include>courier_rules.xml</include> >> >> >> > <include>web_rules.xml</include> >> >> >> > <include>web_appsec_rules.xml</include> >> >> >> > <include>apache_rules.xml</include> >> >> >> > <include>nginx_rules.xml</include> >> >> >> > <include>php_rules.xml</include> >> >> >> > <include>mysql_rules.xml</include> >> >> >> > <include>postgresql_rules.xml</include> >> >> >> > <include>ids_rules.xml</include> >> >> >> > <include>squid_rules.xml</include> >> >> >> > <include>firewall_rules.xml</include> >> >> >> > <include>cisco-ios_rules.xml</include> >> >> >> > <include>netscreenfw_rules.xml</include> >> >> >> > <include>sonicwall_rules.xml</include> >> >> >> > <include>postfix_rules.xml</include> >> >> >> > <include>sendmail_rules.xml</include> >> >> >> > <include>imapd_rules.xml</include> >> >> >> > <include>mailscanner_rules.xml</include> >> >> >> > <include>dovecot_rules.xml</include> >> >> >> > <include>ms-exchange_rules.xml</include> >> >> >> > <include>racoon_rules.xml</include> >> >> >> > <include>vpn_concentrator_rules.xml</include> >> >> >> > <include>spamd_rules.xml</include> >> >> >> > <include>msauth_rules.xml</include> >> >> >> > <include>mcafee_av_rules.xml</include> >> >> >> > <include>trend-osce_rules.xml</include> >> >> >> > <include>ms-se_rules.xml</include> >> >> >> > <!-- <include>policy_rules.xml</include> --> >> >> >> > <include>zeus_rules.xml</include> >> >> >> > <include>solaris_bsm_rules.xml</include> >> >> >> > <include>vmware_rules.xml</include> >> >> >> > <include>ms_dhcp_rules.xml</include> >> >> >> > <include>asterisk_rules.xml</include> >> >> >> > <include>ossec_rules.xml</include> >> >> >> > <include>attack_rules.xml</include> >> >> >> > <include>openbsd_rules.xml</include> >> >> >> > <include>clam_av_rules.xml</include> >> >> >> > <include>bro-ids_rules.xml</include> >> >> >> > <include>dropbear_rules.xml</include> >> >> >> > <include>local_rules.xml</include> >> >> >> > </rules> >> >> >> > >> >> >> > <syscheck> >> >> >> > <!-- Frequency that syscheck is executed - default to every 22 >> >> >> > hours >> >> >> > --> >> >> >> > <frequency>79200</frequency> >> >> >> > >> >> >> > <!-- Directories to check (perform all possible >> >> >> > verifications) >> >> >> > --> >> >> >> > <directories >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> >> >> > <directories check_all="yes">/bin,/sbin</directories> >> >> >> > >> >> >> > <!-- Files/directories to ignore --> >> >> >> > <ignore>/etc/mtab</ignore> >> >> >> > <ignore>/etc/mnttab</ignore> >> >> >> > <ignore>/etc/hosts.deny</ignore> >> >> >> > <ignore>/etc/mail/statistics</ignore> >> >> >> > <ignore>/etc/random-seed</ignore> >> >> >> > <ignore>/etc/adjtime</ignore> >> >> >> > <ignore>/etc/httpd/logs</ignore> >> >> >> > <ignore>/etc/utmpx</ignore> >> >> >> > <ignore>/etc/wtmpx</ignore> >> >> >> > <ignore>/etc/cups/certs</ignore> >> >> >> > <ignore>/etc/dumpdates</ignore> >> >> >> > <ignore>/etc/svc/volatile</ignore> >> >> >> > >> >> >> > <!-- Windows files to ignore --> >> >> >> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> >> >> > <ignore>C:\WINDOWS/Debug</ignore> >> >> >> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> >> >> > <ignore>C:\WINDOWS/iis6.log</ignore> >> >> >> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> >> >> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> >> >> > <ignore>C:\WINDOWS/Prefetch</ignore> >> >> >> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> >> >> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> >> >> > <ignore>C:\WINDOWS/Temp</ignore> >> >> >> > <ignore>C:\WINDOWS/system32/config</ignore> >> >> >> > <ignore>C:\WINDOWS/system32/spool</ignore> >> >> >> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> >> >> > </syscheck> >> >> >> > >> >> >> > <rootcheck> >> >> >> > >> >> >> > >> >> >> > >> >> >> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> >> >> > >> >> >> > >> >> >> > >> >> >> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> >> >> > </rootcheck> >> >> >> > >> >> >> > <active-response> >> >> >> > <disabled>yes</disabled> >> >> >> > </active-response> >> >> >> > >> >> >> > >> >> >> > <alerts> >> >> >> > <log_alert_level>1</log_alert_level> >> >> >> > </alerts> >> >> >> > <!-- Files to monitor (localfiles) --> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>syslog</log_format> >> >> >> > <location>/var/log/messages</location> >> >> >> > </localfile> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>syslog</log_format> >> >> >> > <location>/var/log/auth.log</location> >> >> >> > </localfile> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>syslog</log_format> >> >> >> > <location>/var/log/syslog</location> >> >> >> > </localfile> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>syslog</log_format> >> >> >> > <location>/var/log/mail.info</location> >> >> >> > </localfile> >> >> >> > <localfile> >> >> >> > <log_format>full_command</log_format> >> >> >> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >> >> >> > sort</command> >> >> >> > </localfile> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>full_command</log_format> >> >> >> > <command>last -n 5</command> >> >> >> > </localfile> >> >> >> > </ossec_config> >> >> >> > >> >> >> >> >> >> I believe you need a localfile looking at >> >> >> /var/ossec/logs/alerts/alerts.log. Try the ossecalert format. >> >> >> >> >> >> >> >> >> > >> >> >> > /var/ossec/ossec-agent/etc/ossec.conf >> >> >> > >> >> >> > <ossec_config> >> >> >> > <client> >> >> >> > <server-ip>192.168.1.211</server-ip> >> >> >> > </client> >> >> >> > >> >> >> > >> >> >> > <rootcheck> >> >> >> > <disabled>yes</disabled> >> >> >> > </rootcheck> >> >> >> > >> >> >> > <active-response> >> >> >> > <disabled>yes</disabled> >> >> >> > </active-response> >> >> >> > >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>ossecalert</log_format> >> >> >> > <location>/var/ossec/logs/alerts/alerts.log</location> >> >> >> > </localfile> >> >> >> > >> >> >> > </ossec_config> >> >> >> > >> >> >> > >> >> >> > Do you need more info? >> >> >> > >> >> >> > thanks a lot >> >> >> > >> >> >> > El viernes, 22 de noviembre de 2013 14:07:47 UTC+1, dan (ddpbsd) >> >> >> > escribió: >> >> >> >> >> >> >> >> On Fri, Nov 22, 2013 at 8:04 AM, Gonzalo Sanchez >> >> >> >> <[email protected]> wrote: >> >> >> >> > >> >> >> >> >>> I solved this problem by modifying the file >> >> >> >> >>> /var/ossec/bin/ossec-control >> >> >> >> >>> on >> >> >> >> >>> Server A >> >> >> >> >>> >> >> >> >> >>> Right. >> >> >> >> >>> >> >> >> >> > >> >> >> >> >>What did you change? >> >> >> >> > >> >> >> >> > On Server A, file /var/ossec/bin/ossec-control I modified next >> >> >> >> > lines: >> >> >> >> > >> >> >> >> > DAEMONS="ossec-monitord ossec-logcollector ossec-remoted >> >> >> >> > ossec-syscheckd >> >> >> >> > ossec-analysisd ossec-maild ossec-execd ${DB_DAEMON} >> >> >> >> > ${CSYSLOG_DAEMON} >> >> >> >> > ${AGENTLESS_DAEMON}" >> >> >> >> > >> >> >> >> > SDAEMONS="${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} >> >> >> >> > ossec-maild >> >> >> >> > ossec-execd ossec-analysisd ossec-logcollector ossec-syscheckd >> >> >> >> > ossec-monitord ossec-remoted" >> >> >> >> > >> >> >> >> > And on file /var/ossec/etc/ossec.conf I added next lines: >> >> >> >> > >> >> >> >> > <remote> >> >> >> >> > <connection>secure</connection> >> >> >> >> > </remote> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Thanks. I think I see an easy fix for this in the installation. >> >> >> >> >> >> >> >> >>I'm going to go out on a limb and guess that Server A isn't >> >> >> >> >> monitoring >> >> >> >> >>its /var/ossec/logs/alerts/alerts.log, but it's hard to be sure >> >> >> >> >>without any real information. >> >> >> >> > >> >> >> >> > What information do you need? >> >> >> >> >> >> >> >> Configurations, especially server a's. >> >> >> >> >> >> >> >> > Can you explain how to solve the problem? >> >> >> >> > >> >> >> >> >> >> >> >> Probably, but I'll have to find out exactly what it is first. >> >> >> >> >> >> >> >> > Thanks a lot >> >> >> >> > >> >> >> >> > El viernes, 22 de noviembre de 2013 13:55:23 UTC+1, dan >> >> >> >> > (ddpbsd) >> >> >> >> > escribió: >> >> >> >> >> >> >> >> >> >> On Fri, Nov 22, 2013 at 7:41 AM, Gonzalo Sanchez >> >> >> >> >> <[email protected]> wrote: >> >> >> >> >> > Hi all, >> >> >> >> >> > >> >> >> >> >> > A few days ago I installed OSSEC in Hybrid mode on a server. >> >> >> >> >> > >> >> >> >> >> > The scheme is as follows : >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > PC User ---------- Server A ------------ Server B >> >> >> >> >> > >> >> >> >> >> > On PC User I installed OSSEC in Agent mode. >> >> >> >> >> > On Server A I installed OSSEC in Hybrid mode. >> >> >> >> >> > On Server B I installed OSSEC in Server mode. >> >> >> >> >> > >> >> >> >> >> > Right. >> >> >> >> >> > >> >> >> >> >> > The first thing I detected was that in Server B appeares >> >> >> >> >> > Server >> >> >> >> >> > A >> >> >> >> >> > as >> >> >> >> >> > Active >> >> >> >> >> > . This confirms that the Agent Server A part works . >> >> >> >> >> > >> >> >> >> >> > Later detected that PC User NOT appears as Active on Server >> >> >> >> >> > A. >> >> >> >> >> > This >> >> >> >> >> > problem >> >> >> >> >> > occurs because ossec-remoted service NOT starts. >> >> >> >> >> > Why? >> >> >> >> >> > Because installing OSSEC in Hybrid mode , install OSSEC >> >> >> >> >> > TWICE: >> >> >> >> >> > >> >> >> >> >> > - Agent Mode >> >> >> >> >> > - Local Mode >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> It should have installed server mode, not local. >> >> >> >> >> >> >> >> >> >> > In Local mode , ossec-remoted NO starts. Therefore, no agent >> >> >> >> >> > can >> >> >> >> >> > connect >> >> >> >> >> > to >> >> >> >> >> > Server A. >> >> >> >> >> > >> >> >> >> >> > Right. >> >> >> >> >> > >> >> >> >> >> > I solved this problem by modifying the file >> >> >> >> >> > /var/ossec/bin/ossec-control on >> >> >> >> >> > Server A >> >> >> >> >> > >> >> >> >> >> > Right. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> What did you change? >> >> >> >> >> >> >> >> >> >> > Now , PC User appears as Active on Server A and sends events >> >> >> >> >> > to >> >> >> >> >> > /var/ossec/logs/alerts/alerts.log on Server A. >> >> >> >> >> > >> >> >> >> >> > Now the 2nd problem occurs. >> >> >> >> >> > >> >> >> >> >> > The events sent to Server A PC User and stored in >> >> >> >> >> > /var/ossec/logs/alerts.log >> >> >> >> >> > NOT FORWARDED to Server B. >> >> >> >> >> > >> >> >> >> >> > If I check the file /var/ossec/logs/alerts/alerts.logs on >> >> >> >> >> > Server >> >> >> >> >> > A, >> >> >> >> >> > PC >> >> >> >> >> > Userv >> >> >> >> >> > events NOT APPEARS , only appears Server A events sended ny >> >> >> >> >> > Server >> >> >> >> >> > A >> >> >> >> >> > Agent. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> I'm going to go out on a limb and guess that Server A isn't >> >> >> >> >> monitoring >> >> >> >> >> its /var/ossec/logs/alerts/alerts.log, but it's hard to be >> >> >> >> >> sure >> >> >> >> >> without any real information. >> >> >> >> >> >> >> >> >> >> > Does this make sense ? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Mostly. >> >> >> >> >> >> >> >> >> >> > Does this have a solution? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Probably. >> >> >> >> >> >> >> >> >> >> > If not, then the Hybrid mode is totally useless. >> >> >> >> >> > >> >> >> >> >> > Any idea? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> A few. >> >> >> >> >> >> >> >> >> >> > Thanks >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
