On Feb 14, 2014 5:47 AM, "frwa onto" <[email protected]> wrote: > > Dear Dan, > I wish I can further explore but looking at the message is garble nothing I can understand how to research further. I got another message as below. I dont get this well "localhost useradd[20076]: failed adding user 'mysql', data deleted"? Is this another false positive ? >
The original message was a keep alive, internal to ossec. Every once in a while they slip through. No idea about the usrradd message, that looks like something you would need to investigate. Was the mysql package being installed by a legitimate admin? If yes, then the message probably isn't too important. If not, why was it being installed? It seems like a fairly straight forward investigation at this point. > OSSEC HIDS Notification. > 2014 Feb 14 12:26:49 > > Received From: localhost->/var/log/messages > Rule: 2932 fired (level 7) -> "New Yum package installed." > Portion of the log(s): > > Feb 14 12:26:48 localhost yum[19925]: Installed: kernel-2.6.32-431.5.1.el6.x86_64 > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2014 Feb 14 12:26:49 > > Received From: localhost->/var/log/secure > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Feb 14 12:26:48 localhost useradd[20076]: failed adding user 'mysql', data deleted > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2014 Feb 14 12:26:51 > > Received From: localhost->/var/log/messages > Rule: 2933 fired (level 7) -> "Yum package updated." > Portion of the log(s): > > Feb 14 12:26:50 localhost yum[19925]: Updated: mysql-server-5.1.73-3.el6_5.x86_64 > > > > --END OF NOTIFICATION > > > Regards, > Frwa. > > On Friday, February 14, 2014 12:20:36 PM UTC+8, dan (ddpbsd) wrote: >> >> >> On Feb 13, 2014 11:19 PM, "frwa onto" <[email protected]> wrote: >> > >> > Hi All, >> > I received this . How debug on this ? >> > >> > OSSEC HIDS Notification. >> > 2014 Feb 12 03:50:01 >> > >> > Received From: localhost->ossec-keepalive >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> > >> > --MARK--: ZO.YkF9zgXH6)n0F!tM.n,(F/?U0m4[@0=(!wdd*1'?,Uh^#B9r,odBmc+v3bpI1U8Gz#=Y+yfzAnXg,Ax;,^7jzeE,fb)odVc&^[Im6,MbjdVT*B'%k0==49_9spF9sIUQ&K2QGi?.ZVQLE >> > >> >> It's a false positive, and a thorn in our sidea. Ignore it. Do a search if you need more info. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
