The only calls in the strace to alerts.log are these: sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673
It's definitely reading it though, as it forwards the logs for a bit. On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote: > > On Thu, Nov 6, 2014 at 9:40 AM, Chris H <[email protected] <javascript:>> > wrote: > > Hi. > > > > I'm running on CentOS 6.6. > > > > I enabled debug in internal_options.conf - nothing new in the logs. > strace > > gives this at the time that it stops reading the file. It means nothing > to > > me, though. > > > > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 > > ENOENT (No such file or directory) > > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 641, 0, NULL, 0) = 641 > > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) > > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 > > ENOENT (No such file or directory) > > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 639, 0, NULL, 0) = 639 > > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) > > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1 > > ENOENT (No such file or directory) > > sendto(4, "1:/logs/ossec/logs/alerts/alerts"..., 634, 0, NULL, 0) = 634 > > stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60c0390) = -1 > > ENOENT (No such file or directory) > > sendto(4, "1:ossec-keepalive:--MARK--: no[;"..., 673, 0, NULL, 0) = 673 > > stat("/logs/ossec/logs/alerts/alerts.log", {st_mode=S_IFREG|0640, > > st_size=2608807647, ...}) = 0 > > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0 > > open("/logs/ossec/ossec-agent/logs/ossec.log", > O_WRONLY|O_CREAT|O_APPEND, > > 0666) = 6 > > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = > > 0x7f718bba4000 > > fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0 > > lseek(6, 6467, SEEK_SET) = 6467 > > write(6, "2014/11/06 14:28:30 ossec-logcol"..., 123) = 123 > > close(6) = 0 > > munmap(0x7f718bba4000, 4096) = 0 > > close(5) = 0 > > munmap(0x7f718bba5000, 4096) = 0 > > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) > > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) > > select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout) > > select(0, NULL, NULL, NULL, {2, 0}^C <unfinished ...> > > > > I don't actually see an open of the alerts.log, or any failures (or > I'm missing them). > > > > > It seems to fail after the keepalive every time. > > > > On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote: > >> > >> On Thu, Nov 6, 2014 at 6:44 AM, Chris H <[email protected]> wrote: > >> > Has anyone got Hybrid working? > >> > > >> > >> I have agents that work and I have managers that work. So basically > yes. > >> What distro/version are you using? > >> Can you try strace to see if that gives you more information on what's > >> going on? > >> Looking at the code, I think better information should be logged, > >> maybe try turning on debug? > >> > >> > according to lsof, nothing else seems to be accessing the files at > the > >> > time > >> > that the agent stops processing them. > >> > > >> > I've figured out why it's looking at additional files/directories, > it's > >> > pulled in the shared agent config; I'd forgotten I'd configured that > :) > >> > > >> > > >> > > >> > On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote: > >> >> > >> >> Hi. I've set selinux to Permissive, no difference. It sends some > logs > >> >> out, in the 2 minutes before it stops processing the file. > >> >> > >> >> Thanks. > >> >> > >> >> On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote: > >> >>> > >> >>> On Mon, Nov 3, 2014 at 12:39 PM, Chris H <[email protected]> > wrote: > >> >>> > Hi. I'm trying to get a hybrid server working, and seeing some > odd > >> >>> > behaviour. I'm running 2.8.1. > >> >>> > > >> >>> > When the agent component starts, the logs state: > >> >>> > > >> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197). > >> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address: > >> >>> > 192.168.1.1 > >> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to > server > >> >>> > (192.168.1.1:1514). > >> >>> > 2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for: > 192.168.1.1 > >> >>> > . > >> >>> > 2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting. > >> >>> > 2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module > >> >>> > disabled. > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205). > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > >> >>> > '/etc'. > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > >> >>> > '/usr/bin'. > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > >> >>> > '/usr/sbin'. > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > >> >>> > '/bin'. > >> >>> > 2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory: > >> >>> > '/sbin'. > >> >>> > 2014/11/03 17:00:30 ossec-agentd(1210): ERROR: Queue > >> >>> > '/queue/alerts/execq' > >> >>> > not accessible: 'Queue not found'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing > file: > >> >>> > '/logs/ossec/logs/alerts/alerts.log'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing > file: > >> >>> > '/var/log/userhistory.log'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing > file: > >> >>> > '/var/log/messages'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing > file: > >> >>> > '/var/log/secure'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector(1950): INFO: Analyzing > file: > >> >>> > '/var/log/audit'. > >> >>> > 2014/11/03 17:00:30 ossec-logcollector: INFO: Started (pid: > 26201). > >> >>> > 2014/11/03 17:00:45 ossec-agentd: INFO: Unable to connect to the > >> >>> > active > >> >>> > response queue (disabled). > >> >>> > 2014/11/03 17:00:46 ossec-agentd(4102): INFO: Connected to the > >> >>> > server > >> >>> > (192.168.1.1:1514). > >> >>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck scan > >> >>> > (forwarding database). > >> >>> > 2014/11/03 17:01:30 ossec-syscheckd: INFO: Starting syscheck > >> >>> > database > >> >>> > (pre-scan). > >> >>> > > >> >>> > I don't know why it's monitoring most of those, as the ossec.conf > >> >>> > for > >> >>> > the > >> >>> > agent only specifies '/logs/ossec/logs/alerts/alerts.log'. A > couple > >> >>> > of > >> >>> > minutes later, it stops parsing the alerts.log, with: > >> >>> > > >> >>> > 2014/11/03 17:02:40 ossec-logcollector(1904): INFO: File not > >> >>> > available, > >> >>> > ignoring it: '/logs/ossec/logs/alerts/alerts.log'. > >> >>> > > >> >>> > Any idea why it's stopping parsing the log file? I do have > logstash > >> >>> > consuming the logs too, and thought it might be that, but it > happens > >> >>> > even if > >> >>> > I disable logstash. It's happening almost exactly 2 minutes > after > >> >>> > the > >> >>> > process starts. I've tried setting the permissions on the log > file > >> >>> > to > >> >>> > 644, > >> >>> > too, but that makes no difference. > >> >>> > > >> >>> > >> >>> Is SELinux or something blocking access to it? > >> >>> > >> >>> > -- > >> >>> > > >> >>> > --- > >> >>> > You received this message because you are subscribed to the > Google > >> >>> > Groups > >> >>> > "ossec-list" group. > >> >>> > To unsubscribe from this group and stop receiving emails from it, > >> >>> > send > >> >>> > an > >> >>> > email to [email protected]. > >> >>> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
