So here
is an isolated part of the OSSEC log:
2014/01/14 18:28:31 ossec-dbd(5203): ERROR: Error executing query 'INSERT
INTO data(id, server_id, user, full_log) VALUES ('39', '1', 'vagrant', 'Jan
14 18:28:27 localhost sudo: vagrant : TTY=pts/2 ; PWD=/home/vagrant ;
USER=root ; COMMAND=/bin/su -') '. Error: 'MySQL server has gone away'.
2014/01/14 18:28:31 ossec-dbd(5209): INFO: Closing connection to database.
2014/01/14 18:28:31 ossec-dbd(5210): INFO: Attempting to reconnect to
database.
2014/01/14 18:28:31 ossec-dbd: Connected to database 'ossec' at '127.0.0.1'.
2014/01/14 18:28:31 ossec-dbd(5204): ERROR: Database error. Unable to run
query.
And here is the general query log off mysqld corresponding to that moment
in time (I triggered an alert by switching a user to root)
140114 18:28:31 9 Connect ossecuser@localhost on ossec
9 Query INSERT INTO
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES
('39', '1', '5402','1389724111', '2', '0', '0', '0', '0',
'1389724108.11704')
9 Query INSERT INTO data(id, server_id, user,
full_log) VALUES ('40', '1', '(null)', 'Jan 14 18:28:27 localhost su:
pam_unix(su-l:session): session opened for user root by vagrant(uid=0)')
9 Query INSERT INTO
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES
('40', '1', '5501','1389724111', '2', '0', '0', '0', '0',
'1389724108.11972')
note - the 'event 39' only has one item in the query log - event 40 has the
expected two.
a select on alerts gives us:
mysql> select * from alert where id > 35;
+----+-----------+---------+------------+-------------+------------+--------+----------+----------+------------------+
| id | server_id | rule_id | timestamp | location_id | src_ip | dst_ip
| src_port | dst_port | alertid |
+----+-----------+---------+------------+-------------+------------+--------+----------+----------+------------------+
| 36 | 1 | 2502 | 1389723936 | 2 | 0 | 0
| 0 | 0 | 1389723933.10786 |
| 37 | 1 | 40112 | 1389723941 | 2 | 3232243969 | 0
| 0 | 0 | 1389723939.11117 |
| 38 | 1 | 5501 | 1389723941 | 2 | 0 | 0
| 0 | 0 | 1389723939.11438 |
| 39 | 1 | 5402 | 1389724111 | 2 | 0 | 0
| 0 | 0 | 1389724108.11704 |
| 40 | 1 | 5501 | 1389724111 | 2 | 0 | 0
| 0 | 0 | 1389724108.11972 |
+----+-----------+---------+------------+-------------+------------+--------+----------+----------+------------------+
5 rows in set (0.00 sec)
and we can see the alert record is there, but the 'data' record clearly
failed:
mysql> select * from data where id > 35;
+----+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| id | server_id | user | full_log
| timestamp |
+----+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------+
| 36 | 1 | (null) | Jan 14 18:25:32 localhost sshd[7251]: PAM 2
more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.33.1 | 2014-01-14 18:25:36 |
| 37 | 1 | vagrant | Jan 14 18:25:39 localhost sshd[7254]: Accepted
password for vagrant from 192.168.33.1 port 57258 ssh2
| 2014-01-14 18:25:41 |
| 38 | 1 | (null) | Jan 14 18:25:39 localhost sshd[7254]:
pam_unix(sshd:session): session opened for user vagrant by (uid=0)
| 2014-01-14 18:25:41 |
| 40 | 1 | (null) | Jan 14 18:28:27 localhost su:
pam_unix(su-l:session): session opened for user root by vagrant(uid=0)
| 2014-01-14 18:28:31 |
+----+-----------+---------+------------------------------------------------------------------------------------------------------------------------------------+---------------------+
4 rows in set (0.00 sec)
the general mysqld.log shows nothing unusual.
Thanks
On Tuesday, 14 January 2014 16:15:20 UTC, Lawrence Williams wrote:
>
>
> I am trying to get OSSEC 2.7.1 working with my mysql database (all on same
> box).
>
> Ive got the conf file entries:
>
> <database_output>
> <hostname>127.0.0.1</hostname>
> <username>ossecuser</username>
> <password>ossecpass</password>
> <database>ossec</database>
> <type>mysql</type>
> </database_output>
>
> but after a couple of minutes i start to see problems with db connection
> 'gone away'. The disconnect, issue, reconnect loop then keeps on....
>
> I have seen other postings related to similar problems - but none give any
> solution.
>
> 2014/01/14 15:58:09 ossec-dbd(5203): ERROR: Error executing query 'SELECT
> id FROM location WHERE name = 'localhost->/var/log/secure' AND server_id =
> '1' LIMIT 1'. Error: 'MySQL server has gone away'.
> 2014/01/14 15:58:09 ossec-dbd(5209): INFO: Closing connection to database.
> 2014/01/14 15:58:09 ossec-dbd(5210): INFO: Attempting to reconnect to
> database.
> 2014/01/14 15:58:09 ossec-dbd: Connected to database 'ossec' at
> '127.0.0.1'.
> 2014/01/14 16:01:00 ossec-syscheckd: INFO: Initializing real time file
> monitoring (not started).
> 2014/01/14 16:10:05 ossec-dbd(5203): ERROR: Error executing query 'INSERT
> INTO data(id, server_id, user, full_log) VALUES ('8', '1', 'vagrant', 'Jan
> 14 16:10:01 localhost sudo: vagrant : TTY=pts/1 ; PWD=/mountlocaldev ;
> USER=root ; COMMAND=/bin/su -') '. Error: 'MySQL server has gone away'.
> 2014/01/14 16:10:05 ossec-dbd(5209): INFO: Closing connection to database.
> 2014/01/14 16:10:05 ossec-dbd(5210): INFO: Attempting to reconnect to
> database.
> 2014/01/14 16:10:05 ossec-dbd: Connected to database 'ossec' at
> '127.0.0.1'.
> 2014/01/14 16:10:05 ossec-dbd(5204): ERROR: Database error. Unable to run
> query.
>
>
> Any ideas?
> TIA
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
