On Wed, Feb 4, 2015 at 11:29 PM, John Luko <[email protected]> wrote: > Ok. I did a local setup and after sometime I was finally able to recreate > the issue. Setup was as follows: > > server1 (server mode) --> server 2 (hybrid mode) ---> computer1 (agent only) > > I made a series of changes to files on computer1 and it reported those > changes to server 2, which were reflected on server 1 (it did not show what > the hashes were). I changed the file a bunch of times for a few minutes and > everything was reporting just fine. It wasn't until I performed several > sudo -i commands on server2 that it reported the following: > > 2015/02/04 23:16:58 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/ossec/logs/alerts/alerts.log'. > > It stayed connected for almost 20 minutes before the above happened, but in > production environments I am getting around 4 minutes before it starts > ignoring that alerts.log. > > 2015/02/04 22:53:21 ossec-agentd(4102): INFO: Connected to the server > (192.168.1.2:1514) > > So, at least for now, it appears that it is related to the sudo commands > being run. Anything else I can provide to help with troubleshooting? Also, > is it possible for the hashes to be sent as well? >
I've setup test environments, I need help tracking down the bug in the code. You want what hashes to be sent when? > Thanks! > > > On Wednesday, February 4, 2015 at 12:42:12 PM UTC-5, John Luko wrote: >> >> I'll install it locally and see what comes up in all the logs within the >> system. I'll report back with anything I find! >> >> On Wednesday, February 4, 2015 at 7:48:36 AM UTC-5, dan (ddpbsd) wrote: >>> >>> On Tue, Feb 3, 2015 at 11:25 AM, John Luko <[email protected]> wrote: >>> > Any thoughts on removing hybrid mode and then setting up output to >>> > syslog? >>> > Thus the provider still gets their OSSEC alerts how they currently >>> > receive >>> > them and we in turn get the same thing, but via syslog? >>> > >>> >>> If you have a syslog listener on the higher tier manager, sure that >>> could work. Any help fixing the bug would be great too. >>> >>> > On Tuesday, February 3, 2015 at 10:56:15 AM UTC-5, dan (ddpbsd) wrote: >>> >> >>> >> On Tue, Feb 3, 2015 at 10:45 AM, John Luko <[email protected]> wrote: >>> >> > Morning: >>> >> > >>> >> > We're receiving the following error when using hybrid mode: >>> >> > >>> >> > File not available, ignoring it: >>> >> > '/var/ossec/logs/alerts/alerts.log'. >>> >> > >>> >> > Happens after about three minutes of being on. I know there is a >>> >> > bug >>> >> > attached to this (#442 I believe), any progress on this? We're >>> >> > running >>> >> > 2.7 >>> >> > so I don't know if upgrading to 2.8 would correct the issue? >>> >> > >>> >> >>> >> I don't see any updates in the issue on github. I know I wasn't able >>> >> to figure it out, and there didn't appear to be much interest in >>> >> fixing it. >>> >> >>> >> > Thanks! >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
