On Thu, Feb 5, 2015 at 7:49 AM, dan (ddp) <[email protected]> wrote: > On Wed, Feb 4, 2015 at 11:29 PM, John Luko <[email protected]> wrote: >> Ok. I did a local setup and after sometime I was finally able to recreate >> the issue. Setup was as follows: >> >> server1 (server mode) --> server 2 (hybrid mode) ---> computer1 (agent only) >> >> I made a series of changes to files on computer1 and it reported those >> changes to server 2, which were reflected on server 1 (it did not show what >> the hashes were). I changed the file a bunch of times for a few minutes and >> everything was reporting just fine. It wasn't until I performed several >> sudo -i commands on server2 that it reported the following: >> >> 2015/02/04 23:16:58 ossec-logcollector(1904): INFO: File not available, >> ignoring it: '/var/ossec/logs/alerts/alerts.log'. >> >> It stayed connected for almost 20 minutes before the above happened, but in >> production environments I am getting around 4 minutes before it starts >> ignoring that alerts.log. >> >> 2015/02/04 22:53:21 ossec-agentd(4102): INFO: Connected to the server >> (192.168.1.2:1514) >> >> So, at least for now, it appears that it is related to the sudo commands >> being run. Anything else I can provide to help with troubleshooting? Also, >> is it possible for the hashes to be sent as well? >> > > I've setup test environments, I need help tracking down the bug in the code. >
I have a potential fix here: https://github.com/ossec/ossec-hids/issues/442 It needs some pretty heavy testing though. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
