I've actÃvate the log in mysql and mantain the IP address no the localhost
As you can see the events are inserting ok into the database
65 Query INSERT INTO data(id, server_id, user, full_log) VALUES ('69',
'1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog: Security:
AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: TAreasC: IND:
miservidor: An account was logged off. Subject: Security ID: S-1-5-21-
Account Name: Tareas_ Account Domain: IND Logon ID: 0x11f65bed4 Logon
Type: 3 This event is generated when a logon session is destroyed. It
may be positively correlated with a logon event using the Logon ID value.
Logon IDs are only unique between reboots on the same computer." 4646,1')
65 Query INSERT INTO
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0',
'1437058092.4614772')
65 Query INSERT INTO data(id, server_id, user,
full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16 17:03:20 WinEvtLog:
Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing:
Tareas_PROD.SVC: IND: BAE-I-WEB1D.ind.aronde.es: An account was logged off.
Subject: Security ID: S-1-5-21-635382758-268241423-2897451402-2711
Account Name: Tareas_PROD.SVC Account Domain: IND Logon ID:
0x11f65c049 Logon Type: 3 This event is generated when a logon session
is destroyed. It may be positively correlated with a logon event using the
Logon ID value. Logon IDs are only unique between reboots on the same
computer." 4646,1')
65 Query INSERT INTO
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0',
'1437058096.4615492')
In Ossec server the problema persists
2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to database
'172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on
'172.16.15.154' (111).
2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to database
'172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on
'172.16.15.154' (111).
I think sometimes Works properly but in others moments no :(
El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze escribió:
>
> You redacted the IP address in the ossec logs, so I'm assuming it is
> something other than 127.0.0.1?
> Because your netstat shows that mysql is only bound to 127.0.0.1.
>
>
> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote:
>
> Good Morning,
>
> I've started to work with ossec and reviewing the log I identify this
> error
>
> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck database
> (pre-scan).
> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip
> address> (111).
> 2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating syscheck
> database (pre-scan completed).
> 2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck scan
> (forwarding database).
> 2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address>
> (111).
> 2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting to database
> <ip address> (ossec): ERROR: Can't connect to MySQL server on<ip address>
> (111).
>
> /var/ossec/logs/alerts <javascript:># netstat -atp | grep LISTEN
> tcp 0 0 localhost:mysql *:*
> LISTEN 3324/mysqld
>
> Mysql is UP, I've updated /var/ossec/etc/internal_options.conf" setting
> dbd.reconnect_attempts to 30 but the error persists.
>
> any help?
>
> regards
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
