On Jul 16, 2015 11:14 AM, "Legolas Klaitxu" <[email protected]> wrote: > > I've actÃvate the log in mysql and mantain the IP address no the localhost > > As you can see the events are inserting ok into the database > > 65 Query INSERT INTO data(id, server_id, user, full_log) VALUES ('69', '1', 'Tareas_C', '2015 Jul 16 17:03:18 WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: TAreasC: IND: miservidor: An account was logged off. Subject: Security ID: S-1-5-21- Account Name: Tareas_ Account Domain: IND Logon ID: 0x11f65bed4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." 4646,1') > 65 Query INSERT INTO alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) VALUES ('69', '1', '18149','1437058097', '6', '0', '0', '0', '0', '1437058092.4614772') > 65 Query INSERT INTO data(id, server_id, user, full_log) VALUES ('70', '1', 'TAreasC', '2015 Jul 16 17:03:20 WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: Tareas_PROD.SVC: IND: BAE-I-WEB1D.ind.aronde.es: An account was logged off. Subject: Security ID: S-1-5-21-635382758-268241423-2897451402-2711 Account Name: Tareas_PROD.SVC Account Domain: IND Logon ID: 0x11f65c049 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." 4646,1') > 65 Query INSERT INTO alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) VALUES ('70', '1', '18149','1437058097', '6', '0', '0', '0', '0', '1437058096.4615492') >
So no errors? > In Ossec server the problema persists > > 2015/07/16 16:49:59 ossec-dbd(5202): ERROR: Error connecting to database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on '172.16.15.154' (111). > 2015/07/16 16:51:23 ossec-dbd(5202): ERROR: Error connecting to database '172.16.15.154'(ossec): ERROR: Can't connect to MySQL server on '172.16.15.154' (111). > >From what i see, 111 means connection is refused. Mysql has a troubleshooting page for this error code, perhaps that has the solution? > I think sometimes Works properly but in others moments no :( > > > > El jueves, 16 de julio de 2015, 16:05:56 (UTC+2), Ryan Schulze escribió: >> >> >> You redacted the IP address in the ossec logs, so I'm assuming it is something other than 127.0.0.1? >> Because your netstat shows that mysql is only bound to 127.0.0.1. >> >> >> On 7/16/2015 4:01 AM, Legolas Klaitxu wrote: >>> >>> Good Morning, >>> >>> I've started to work with ossec and reviewing the log I identify this error >>> >>> 2015/07/16 10:30:37 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). >>> 2015/07/16 10:30:50 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:31:31 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:32:30 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:35:30 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:36:21 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:38:31 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:38:48 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). >>> 2015/07/16 10:39:00 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). >>> 2015/07/16 10:39:13 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on <ip address> (111). >>> 2015/07/16 10:39:20 ossec-rootcheck: INFO: Starting rootcheck scan. >>> 2015/07/16 10:39:30 ossec-dbd(5202): ERROR: Error connecting to database <ip address> (ossec): ERROR: Can't connect to MySQL server on<ip address> (111). >>> >>> /var/ossec/logs/alerts# netstat -atp | grep LISTEN >>> tcp 0 0 localhost:mysql *:* LISTEN 3324/mysqld >>> >>> Mysql is UP, I've updated /var/ossec/etc/internal_options.conf" setting dbd.reconnect_attempts to 30 but the error persists. >>> >>> any help? >>> >>> regards >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> >>> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
